On 2013年2月21日 11:37:47 +1100 Steven D'Aprano <[email protected]> wrote: > > It's easy to forget that malware existed long before the Internet. The > internet is just a transmission vector, it is not the source of malicious > files. The source of malicious files is *other people*, and unless you never > use XML files you didn't generate yourself, you cannot completely trust the > source. You might trust your colleagues to not *intentionally* pass you a > malicious XML file, but they may still do so accidentally.
That's in theory very nice, but in practice security in everyday computing hasn't really been a concern before the massification of Internet access. (yes, there have been viruses on mainstream platforms such as the Amiga, but it was pretty minor compared to nowadays, and nobody cared about potential DoS attacks for example) So, as for XML files, we are talking about a DoS vulnerability. It will take more than a single file to make a DoS attack really annoying, which means the attacker must pollute the source of those XML files in a systemic way. It's not "a single XML file will smuggle confidential data out of the building". Regards Antoine. _______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com