-
Notifications
You must be signed in to change notification settings - Fork 4
/
README.txt
193 lines (131 loc) · 4.78 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
============
defusedexpat
============
.. contents:: Table of Contents
:depth: 2
defusedexpat protects the XML packages of Python's standard library from
several denial of service vulnerabilities and external entity exploits. It
contains
* a modified and enhanced version of expat parser library
* replacements for pyexpat and cElementTree's _elementtree extension modules
* loader code that replaces built-in extensions with the modified extensions
* monkey patches for xml.sax and xml.dom to prevent external entity expansions
In order to protect your application you have to import the ``defusedxml``
module **before** any of the stdlib's XML modules.
Countermeasures
===============
* limited entity expansion level to antagonize billion laugh attacks
* limited total length of expansions to prevent quadratic blowups
* monkey patch to prevent retrieval of external entities and DTDs
Modifications
=============
Modifications in pyexpat
------------------------
Parser object
..............
New parser attributes (r/w)
* max_entity_indirections
* max_entity_expansions
* reset_dtd
Module constants
................
* XML_DEFAULT_MAX_ENTITY_INDIRECTIONS
* XML_DEFAULT_MAX_ENTITY_EXPANSIONS
* XML_BOMB_PROTECTION
Modules functions
..................
* get_reset_dtd(), set_reset_dtd(bool)
* get_max_entity_expansions(), set_max_entity_expansions(int)
* get_max_entity_indirections(), et_max_entity_indirections(int)
New CAPI members
................
* capi.GetFeature
* capi.SetFeature
* capi.GetFeatureDefault
* capi.SetFeatureDefault
Modifications in _elementtree
-----------------------------
_elementtree.XMLParser
.......................
New arguments and r/o attributes
* max_entity_indirections
* max_entity_expansions
* ignore_dtd
Modifications in expat
----------------------
new definitions::
XML_BOMB_PROTECTION
XML_DEFAULT_MAX_ENTITY_INDIRECTIONS
XML_DEFAULT_MAX_ENTITY_EXPANSIONS
XML_DEFAULT_RESET_DTD
new XML_FeatureEnum members::
XML_FEATURE_MAX_ENTITY_INDIRECTIONS
XML_FEATURE_MAX_ENTITY_EXPANSIONS
XML_FEATURE_IGNORE_DTD
new XML_Error members::
XML_ERROR_ENTITY_INDIRECTIONS
XML_ERROR_ENTITY_EXPANSION
new API functions::
int XML_GetFeature(XML_Parser parser,
enum XML_FeatureEnum feature,
long *value);
int XML_SetFeature(XML_Parser parser,
enum XML_FeatureEnum feature,
long value);
int XML_GetFeatureDefault(enum XML_FeatureEnum feature,
long *value);
int XML_SetFeatureDefault(enum XML_FeatureEnum feature,
long value);
XML_FEATURE_MAX_ENTITY_INDIRECTIONS
Limit the amount of indirections that are allowed to occur during the
expansion of a nested entity. A counter starts when an entity reference
is encountered. It resets after the entity is fully expanded. The limit
protects the parser against exponential entity expansion attacks (aka
billion laughs attack). When the limit is exceeded the parser stops and
fails with `XML_ERROR_ENTITY_INDIRECTIONS`.
A value of 0 disables the protection.
Supported range
0 .. UINT_MAX
Default
40
XML_FEATURE_MAX_ENTITY_EXPANSIONS
Limit the total length of all entity expansions throughout the entire
document. The lengths of all entities are accumulated in a parser variable.
The setting protects against quadratic blowup attacks (lots of expansions
of a large entity declaration). When the sum of all entities exceeds
the limit, the parser stops and fails with `XML_ERROR_ENTITY_EXPANSION`.
A value of 0 disables the protection.
Supported range
0 .. UINT_MAX
Default
8 MiB
XML_FEATURE_RESET_DTD
Reset all DTD information after the <!DOCTYPE> block has been parsed. When
the flag is set (default: false) all DTD information after the
endDoctypeDeclHandler has been called. The flag can be set inside the
endDoctypeDeclHandler. Without DTD information any entity reference in
the document body leads to `XML_ERROR_UNDEFINED_ENTITY`.
Supported range
0, 1
Default
0
Requirements
============
* Python 2.6.6 or newer (2.6.8 or newer for randomized hashing)
* Python 2.7 (2.7.3 or newer for randomized hashing and Windows binaries)
* Python 3.1 (3.1.5 or newer for randomized hashing and Windows binaries)
* Python 3.2 (3.2.3 or newer for randomized hashing and Windows binaries)
* Python 3.3.0 or newer
Windows binaries are compatible to 2.6.6, 2.7.3, 3.1.5, 3.2.3 or 3.3.0 or
newer micro releases. They don't work on older versions.
License
=======
Copyright (c) 2013 by Christian Heimes <[email protected]>
Licensed to PSF under a Contributor Agreement.
See http://www.python.org/psf/license for licensing details.
Contributors
============
Antoine Pitrou
code review
Brett Cannon
code review