Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: XML vulnerabilities (poop)

by Anonymous Monk
on Mar 26, 2013 at 08:16 UTC ( #1025458=note: print w/ replies, xml ) Need Help??


in reply to XML vulnerabilities

Has anything similar been done for Perl XML libraries?

What do you mean?

That "review" you linked lists Perl's XML::Simple is vulnerable to quadratic entity expansion and external entity expansion (both local and remote).

it says if you turn random xml into a hash, it can eat all of your memory -- not particularly surprising, firefox will do the same thing with any random webpage -- trees cost memory , and features are features :)

Is XML::Simple vunlerable to a feature using too much memory? Maybe :) but that "report" is nothing more than rumor, it doesn't even mention a version number -- and XML::Simple can use at miniumum 3 different backends

Lots of those issues transcend perl/python... any language/library that interfaces to libxml2, including perl's XML::LibXML, is vulnerable to any bugs/vulnerabilities in libxml2

So if you're worried about your parser, check its documentation, check its bug cue, check the options you have turned on;

I've seen bugs reported, and I've seen them get fixed, this is the cycle of software :)


Comment on Re: XML vulnerabilities (poop)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1025458]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (11)
As of 2015-07-08 07:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (96 votes), past polls