Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50700
| Path | csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.001 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; '16,': 0.03; 'schema': 0.05; 'subject:Python': 0.06; '"""': 0.07; 'json': 0.07; 'think,': 0.07; 'feature.': 0.09; 'http': 0.09; 'lookup': 0.09; 'parsers': 0.09; 'parsing': 0.09; 'references.': 0.09; 'report,': 0.09; 'xml.': 0.09; 'missed': 0.12; "wouldn't": 0.14; '(via': 0.16; 'burak': 0.16; 'declaration': 0.16; 'exploits': 0.16; 'fetch': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'semantics': 0.16; 'subject:object': 0.16; 'subject:security': 0.16; 'well-known': 0.16; 'wrote:': 0.18; 'looked': 0.18; 'else,': 0.19; 'normally': 0.19; 'seems': 0.21; "haven't": 0.24; 'environment': 0.24; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'external': 0.29; 'am,': 0.29; 'xml': 0.29; "doesn't": 0.30; 'involving': 0.30; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'requests': 0.31; 'operations.': 0.31; 'quite': 0.32; 'used,': 0.33; 'could': 0.34; 'basic': 0.35; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'possible': 0.36; 'similar': 0.36; 'url:org': 0.36; 'should': 0.36; 'two': 0.37; 'list': 0.37; 'being': 0.38; 'generic': 0.38; 'to:addr:python-list': 0.38; 'anything': 0.39; 'expect': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'either': 0.39; 'how': 0.40; 'documents,': 0.60; 'took': 0.61; 'simply': 0.61; "you're": 0.61; 'provide': 0.64; 'more': 0.64; 'different': 0.65; 'details,': 0.68; 'presented': 0.69; 'applying': 0.72; 'jul': 0.74; 'canonical': 0.91; 'resolved.': 0.91; 'url:latest': 0.91; 'have.': 0.93; 'yourself,': 0.95; 'serious': 0.97; '2013': 0.98 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1dIjMPLjqLegM3daLjkkET+FEl3iXTNf3rBFT2sFnr4=; b=hTOdRfiZLjxA4gX10g9oOy9Wcnx4oPeF0Zy81hKQn/ILLcOkLsAaIrfyrAF2yngQdk oO4NUSv+xZ8v+I4t3c1GoobSWmd/MWVXOkf3UvxQPTY7WWapI12iVHiLPqYUI/3FgbW0 B+MsNBunPJ8Ko6QWHu5EWfOjU50TEsQCL7ijV8EKysZbdq2IjIZtlFrDtu974p4HpU/8 hdUKhe4jKRBfdt41KASt2KY+Bq6CFzxrSBjUR0KOHDgFGoZDDa7+7HQjie8RdFKAunWs /jn8MXcTn1UEVfAySmDpCnhuoIbLcS07gnXNIIPxngPHalXAO72PHDnK6xYrQcZPBYj0 heRA== |
| MIME-Version | 1.0 |
| X-Received | by 10.52.163.165 with SMTP id yj5mr24284804vdb.104.1373906469341; Mon, 15 Jul 2013 09:41:09 -0700 (PDT) |
| In-Reply-To | <51E423E5.2030303@arskom.com.tr> |
| References | <CAPTjJmqAEUUrUxaFjAh8qGjBbNuhNp9Nz6RKQDbraOm0kCVJDg@mail.gmail.com> <595253102.8424684.1373892072113.JavaMail.root@sequans.com> <CAPTjJmoP0OHZP+GBjjZxVMwVT0eSXG1azK1NkZov_x4=1jq-xQ@mail.gmail.com> <51E4184F.3080607@arskom.com.tr> <CAPTjJmrCFtjhKaO_SBzGWsGKt-NyXmVaZ__Bj7dF1b0FDcuJuw@mail.gmail.com> <51E423E5.2030303@arskom.com.tr> |
| Date | Tue, 16 Jul 2013 02:41:09 +1000 |
| Subject | Re: Python - remote object protocols and security |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4740.1373906471.3114.python-list@python.org> (permalink) |
| Lines | 49 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1373906471 news.xs4all.nl 15963 [2001:888:2000:d::a6]:54068 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:50700 |
Show key headers only | View raw
On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan <burak.arslan@arskom.com.tr> wrote: > On 07/15/13 16:53, Chris Angelico wrote: >> I haven't looked into the details, but there was one among a list of >> exploits that was being discussed a few months ago; it involved XML >> schemas, I think, and quite a few generic XML parsers could be tricked >> into fetching arbitrary documents. Whether this could be used for >> anything more serious than a document-viewed receipt or a denial of >> service (via latency) I don't know, but if nothing else, it's a vector >> that JSON simply doesn't have. ChrisA > > I must have missed that exploit report, can you provide a link? > > Parsing arbitrary xml documents and parsing xml schema documents and > applying xml schema semantics to these documents are two very different > operations. I don't remember all the details; it isn't something I took particular note of, as I don't work much with XML. It was something involving either a schema declaration or a DTD or something of the sort, where normally no external lookup is required but there's an HTTP URL in there and it's possible to force that to be resolved. > Xml schemas are not "tricked" into fetching arbitrary documents, > xs:include and xs:import fetch external documents, it's a well-known > feature. If you don't want this, you should ship all of the schema > documents together and generate the schemas in a way to not include any > external references. So I'm surprised this was presented as a security > exploit. It was something that parsing a basic XML document could trigger, and in an environment where you wouldn't normally expect extra HTTP requests to be going out, hence "tricked". > Json schemas also have similar functionality: > http://json-schema.org/latest/json-schema-core.html#anchor30 > > """ > if canonical dereferencing is used, the implementation will dereference > this URI, and fetch the content at this URI; > """ > > So I don't understand how you're so sure of yourself, but to me, it > seems like Json schemas have the same attack vectors. Yes, but normal JSON data doesn't include schema references. Normal XML data can and often does. ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-16 02:41 +1000
csiph-web