Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '16,': 0.03; 'schema': 0.05; 'subject:Python': 0.06; '"""': 0.07; 'json': 0.07; 'think,': 0.07; 'feature.': 0.09; 'http': 0.09; 'lookup': 0.09; 'parsers': 0.09; 'parsing': 0.09; 'references.': 0.09; 'report,': 0.09; 'xml.': 0.09; 'missed': 0.12; "wouldn't": 0.14; '(via': 0.16; 'burak': 0.16; 'declaration': 0.16; 'exploits': 0.16; 'fetch': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'semantics': 0.16; 'subject:object': 0.16; 'subject:security': 0.16; 'well-known': 0.16; 'wrote:': 0.18; 'looked': 0.18; 'else,': 0.19; 'normally': 0.19; 'seems': 0.21; "haven't": 0.24; 'environment': 0.24; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'external': 0.29; 'am,': 0.29; 'xml': 0.29; "doesn't": 0.30; 'involving': 0.30; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'requests': 0.31; 'operations.': 0.31; 'quite': 0.32; 'used,': 0.33; 'could': 0.34; 'basic': 0.35; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'possible': 0.36; 'similar': 0.36; 'url:org': 0.36; 'should': 0.36; 'two': 0.37; 'list': 0.37; 'being': 0.38; 'generic': 0.38; 'to:addr:python-list': 0.38; 'anything': 0.39; 'expect': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'either': 0.39; 'how': 0.40; 'documents,': 0.60; 'took': 0.61; 'simply': 0.61; "you're": 0.61; 'provide': 0.64; 'more': 0.64; 'different': 0.65; 'details,': 0.68; 'presented': 0.69; 'applying': 0.72; 'jul': 0.74; 'canonical': 0.91; 'resolved.': 0.91; 'url:latest': 0.91; 'have.': 0.93; 'yourself,': 0.95; 'serious': 0.97; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1dIjMPLjqLegM3daLjkkET+FEl3iXTNf3rBFT2sFnr4=; b=hTOdRfiZLjxA4gX10g9oOy9Wcnx4oPeF0Zy81hKQn/ILLcOkLsAaIrfyrAF2yngQdk oO4NUSv+xZ8v+I4t3c1GoobSWmd/MWVXOkf3UvxQPTY7WWapI12iVHiLPqYUI/3FgbW0 B+MsNBunPJ8Ko6QWHu5EWfOjU50TEsQCL7ijV8EKysZbdq2IjIZtlFrDtu974p4HpU/8 hdUKhe4jKRBfdt41KASt2KY+Bq6CFzxrSBjUR0KOHDgFGoZDDa7+7HQjie8RdFKAunWs /jn8MXcTn1UEVfAySmDpCnhuoIbLcS07gnXNIIPxngPHalXAO72PHDnK6xYrQcZPBYj0 heRA== MIME-Version: 1.0 X-Received: by 10.52.163.165 with SMTP id yj5mr24284804vdb.104.1373906469341; Mon, 15 Jul 2013 09:41:09 -0700 (PDT) In-Reply-To: <51E423E5.2030303@arskom.com.tr> References: <595253102.8424684.1373892072113.JavaMail.root@sequans.com> <51E4184F.3080607@arskom.com.tr> <51E423E5.2030303@arskom.com.tr> Date: Tue, 16 Jul 2013 02:41:09 +1000 Subject: Re: Python - remote object protocols and security From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 49 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1373906471 news.xs4all.nl 15963 [2001:888:2000:d::a6]:54068 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:50700 On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan wrote: > On 07/15/13 16:53, Chris Angelico wrote: >> I haven't looked into the details, but there was one among a list of >> exploits that was being discussed a few months ago; it involved XML >> schemas, I think, and quite a few generic XML parsers could be tricked >> into fetching arbitrary documents. Whether this could be used for >> anything more serious than a document-viewed receipt or a denial of >> service (via latency) I don't know, but if nothing else, it's a vector >> that JSON simply doesn't have. ChrisA > > I must have missed that exploit report, can you provide a link? > > Parsing arbitrary xml documents and parsing xml schema documents and > applying xml schema semantics to these documents are two very different > operations. I don't remember all the details; it isn't something I took particular note of, as I don't work much with XML. It was something involving either a schema declaration or a DTD or something of the sort, where normally no external lookup is required but there's an HTTP URL in there and it's possible to force that to be resolved. > Xml schemas are not "tricked" into fetching arbitrary documents, > xs:include and xs:import fetch external documents, it's a well-known > feature. If you don't want this, you should ship all of the schema > documents together and generate the schemas in a way to not include any > external references. So I'm surprised this was presented as a security > exploit. It was something that parsing a basic XML document could trigger, and in an environment where you wouldn't normally expect extra HTTP requests to be going out, hence "tricked". > Json schemas also have similar functionality: > http://json-schema.org/latest/json-schema-core.html#anchor30 > > """ > if canonical dereferencing is used, the implementation will dereference > this URI, and fetch the content at this URI; > """ > > So I don't understand how you're so sure of yourself, but to me, it > seems like Json schemas have the same attack vectors. Yes, but normal JSON data doesn't include schema references. Normal XML data can and often does. ChrisA