Re: XML vulnerabilities (poop)by Anonymous Monk
|on Mar 26, 2013 at 08:16 UTC||Need Help??|
Has anything similar been done for Perl XML libraries?
What do you mean?
That "review" you linked lists Perl's XML::Simple is vulnerable to quadratic entity expansion and external entity expansion (both local and remote).
it says if you turn random xml into a hash, it can eat all of your memory -- not particularly surprising, firefox will do the same thing with any random webpage -- trees cost memory , and features are features :)
Is XML::Simple vunlerable to a feature using too much memory? Maybe :) but that "report" is nothing more than rumor, it doesn't even mention a version number -- and XML::Simple can use at miniumum 3 different backends
Lots of those issues transcend perl/python... any language/library that interfaces to libxml2, including perl's XML::LibXML, is vulnerable to any bugs/vulnerabilities in libxml2
So if you're worried about your parser, check its documentation, check its bug cue, check the options you have turned on;
I've seen bugs reported, and I've seen them get fixed, this is the cycle of software :)