mirror of
https://github.com/python/cpython.git
synced 2024-12-02 22:35:26 +08:00
Closes #19179: make table of XML vulnerabilities clearer by using "everyday" booleans and explaining the table beforehand.
This commit is contained in:
parent
d8ede4fddd
commit
57f936ecde
@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or
|
|||||||
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
|
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
|
||||||
like inline `DTD`_ (document type definition) with entities.
|
like inline `DTD`_ (document type definition) with entities.
|
||||||
|
|
||||||
|
The following table gives an overview of the known attacks and if the various
|
||||||
|
modules are vulnerable to them.
|
||||||
|
|
||||||
========================= ======== ========= ========= ======== =========
|
========================= ======== ========= ========= ======== =========
|
||||||
kind sax etree minidom pulldom xmlrpc
|
kind sax etree minidom pulldom xmlrpc
|
||||||
========================= ======== ========= ========= ======== =========
|
========================= ======== ========= ========= ======== =========
|
||||||
billion laughs **True** **True** **True** **True** **True**
|
billion laughs **Yes** **Yes** **Yes** **Yes** **Yes**
|
||||||
quadratic blowup **True** **True** **True** **True** **True**
|
quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes**
|
||||||
external entity expansion **True** False (1) False (2) **True** False (3)
|
external entity expansion **Yes** No (1) No (2) **Yes** No (3)
|
||||||
DTD retrieval **True** False False **True** False
|
DTD retrieval **Yes** No No **Yes** No
|
||||||
decompression bomb False False False False **True**
|
decompression bomb No No No No **Yes**
|
||||||
========================= ======== ========= ========= ======== =========
|
========================= ======== ========= ========= ======== =========
|
||||||
|
|
||||||
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
|
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
|
||||||
|
Loading…
Reference in New Issue
Block a user