Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #50700 > unrolled thread

Re: Python - remote object protocols and security

Started byChris Angelico <rosuav@gmail.com>
First post2013-07-16 02:41 +1000
Last post2013-07-16 02:41 +1000
Articles 1 — 1 participant

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-16 02:41 +1000

#50700 — Re: Python - remote object protocols and security

FromChris Angelico <rosuav@gmail.com>
Date2013-07-16 02:41 +1000
SubjectRe: Python - remote object protocols and security
Message-ID<mailman.4740.1373906471.3114.python-list@python.org>
On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan
<burak.arslan@arskom.com.tr> wrote:
> On 07/15/13 16:53, Chris Angelico wrote:
>> I haven't looked into the details, but there was one among a list of
>> exploits that was being discussed a few months ago; it involved XML
>> schemas, I think, and quite a few generic XML parsers could be tricked
>> into fetching arbitrary documents. Whether this could be used for
>> anything more serious than a document-viewed receipt or a denial of
>> service (via latency) I don't know, but if nothing else, it's a vector
>> that JSON simply doesn't have. ChrisA
>
> I must have missed that exploit report, can you provide a link?
>
> Parsing arbitrary xml documents and parsing xml schema documents and
> applying xml schema semantics to these documents are two very different
> operations.

I don't remember all the details; it isn't something I took particular
note of, as I don't work much with XML. It was something involving
either a schema declaration or a DTD or something of the sort, where
normally no external lookup is required but there's an HTTP URL in
there and it's possible to force that to be resolved.

> Xml schemas are not "tricked" into fetching arbitrary documents,
> xs:include and xs:import fetch external documents, it's a well-known
> feature. If you don't want this, you should ship all of the schema
> documents together and generate the schemas in a way to not include any
> external references. So I'm surprised this was presented as a security
> exploit.

It was something that parsing a basic XML document could trigger, and
in an environment where you wouldn't normally expect extra HTTP
requests to be going out, hence "tricked".

> Json schemas also have similar functionality:
> http://json-schema.org/latest/json-schema-core.html#anchor30
>
> """
> if canonical dereferencing is used, the implementation will dereference
> this URI, and fetch the content at this URI;
> """
>
> So I don't understand how you're so sure of yourself, but to me, it
> seems like Json schemas have the same attack vectors.

Yes, but normal JSON data doesn't include schema references. Normal
XML data can and often does.

ChrisA

[toc] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web