python-defusedxml
Port variant v11
Summary XML bomb protection for stdlib modules (3.11)
BROKEN
Package version 0.7.1
Homepage https://github.com/tiran/defusedxml
Keywords python
Maintainer Python Automaton
License Not yet specified
Other variants v12
Ravenports Buildsheet | History
Ravensource Port Directory | History
Last modified 10 OCT 2023, 04:40:21 UTC
Port created 15 AUG 2020, 23:27:53 UTC
Subpackage Descriptions
single =================================================== defusedxml -- defusing XML bombs and other exploits =================================================== :alt: Latest Version :alt: Supported Python versions :alt: Travis CI :alt: codecov :alt: PyPI downloads :alt: Code style: black .. "It's just XML, what could probably go wrong?" Christian Heimes Synopsis ======== The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred **Bytes** of XML data an attacker can occupy several **Gigabytes** of memory within **seconds**. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties. The attacks use and abuse less common features of XML and its parsers. The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. At best they know about ```` from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. None of the issues is new. They have been known for a long time. Billion laughs was first reported in 2003. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It's hard to say whom to blame for the situation. It's too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings. After all they properly implement XML specifications. Application developers must not rely that a library is always configured for security and potential harmful data by default. .. contents:: Table of Contents :depth: 2 Attack vectors ============== billion laughs / exponential entity expansion --------------------------------------------- The `Billion Laughs`_ attack -- also known as exponential entity expansion -- uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string lol to a string of 3 * 10 :sup:`9` bytes, hence the name "billion laughs". The resulting string occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional memory. Because most parsers don't cache the intermediate step for every expansion it is repeated over and over again. It increases the CPU load even more. An XML document of just a few hundred bytes can disrupt all services on a machine within seconds. Example XML:: ]> &d; quadratic blowup entity expansion --------------------------------- A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities. Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document.
Configuration Switches (platform-specific settings discarded)
PY311 ON Build using Python 3.11 PY312 OFF Build using Python 3.12
Package Dependencies by Type
Build (only) python-pip:single:v11
autoselect-python:single:std
Build and Runtime python311:single:std
Download groups
main mirror://PYPIWHL/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4
Distribution File Information
a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 25604 defusedxml-0.7.1-py2.py3-none-any.whl
Ports that require python-defusedxml:v11
python-patchman:v11 Django based patch status monitoring tool (3.11)
python-python3-openid:v11 OpenID support for servers and consumers (3.11)
python-social-auth-core:v11 Python social authentication made simple (3.11)
python-trytond:v11 Tryton server (3.11)