Closes #19179: make table of XML vulnerabilities clearer by using "everyday" booleans and explaining the table beforehand.

This commit is contained in:
Georg Brandl 2013-10-12 18:19:33 +02:00
parent d8ede4fddd
commit 57f936ecde

View File

@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or
to or circumvent firewalls. The attacks on XML abuse unfamiliar features to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities. like inline `DTD`_ (document type definition) with entities.
The following table gives an overview of the known attacks and if the various
modules are vulnerable to them.
========================= ======== ========= ========= ======== ========= ========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== ========= ========================= ======== ========= ========= ======== =========
billion laughs **True** **True** **True** **True** **True** billion laughs **Yes** **Yes** **Yes** **Yes** **Yes**
quadratic blowup **True** **True** **True** **True** **True** quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes**
external entity expansion **True** False (1) False (2) **True** False (3) external entity expansion **Yes** No (1) No (2) **Yes** No (3)
DTD retrieval **True** False False **True** False DTD retrieval **Yes** No No **Yes** No
decompression bomb False False False False **True** decompression bomb No No No No **Yes**
========================= ======== ========= ========= ======== ========= ========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a 1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a