Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #50699 > unrolled thread

Re: Python - remote object protocols and security

Started byBurak Arslan <burak.arslan@arskom.com.tr>
First post2013-07-15 17:31 +0100
Last post2013-07-15 17:31 +0100
Articles 1 — 1 participant

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: Python - remote object protocols and security Burak Arslan <burak.arslan@arskom.com.tr> - 2013-07-15 17:31 +0100

#50699 — Re: Python - remote object protocols and security

FromBurak Arslan <burak.arslan@arskom.com.tr>
Date2013-07-15 17:31 +0100
SubjectRe: Python - remote object protocols and security
Message-ID<mailman.4739.1373905875.3114.python-list@python.org>
On 07/15/13 16:53, Chris Angelico wrote:
> I haven't looked into the details, but there was one among a list of
> exploits that was being discussed a few months ago; it involved XML
> schemas, I think, and quite a few generic XML parsers could be tricked
> into fetching arbitrary documents. Whether this could be used for
> anything more serious than a document-viewed receipt or a denial of
> service (via latency) I don't know, but if nothing else, it's a vector
> that JSON simply doesn't have. ChrisA 

I must have missed that exploit report, can you provide a link?

Parsing arbitrary xml documents and parsing xml schema documents and
applying xml schema semantics to these documents are two very different
operations.

Xml schemas are not "tricked" into fetching arbitrary documents,
xs:include and xs:import fetch external documents, it's a well-known
feature. If you don't want this, you should ship all of the schema
documents together and generate the schemas in a way to not include any
external references. So I'm surprised this was presented as a security
exploit.

Json schemas also have similar functionality:
http://json-schema.org/latest/json-schema-core.html#anchor30

"""
if canonical dereferencing is used, the implementation will dereference
this URI, and fetch the content at this URI;
"""

So I don't understand how you're so sure of yourself, but to me, it
seems like Json schemas have the same attack vectors.

Best regards,
Burak

[toc] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web