Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re: XML vulnerabilities (poop)

by Anonymous Monk
on Mar 26, 2013 at 08:16 UTC ( #1025458=note: print w/replies, xml ) Need Help??

in reply to XML vulnerabilities

Has anything similar been done for Perl XML libraries?

What do you mean?

That "review" you linked lists Perl's XML::Simple is vulnerable to quadratic entity expansion and external entity expansion (both local and remote).

it says if you turn random xml into a hash, it can eat all of your memory -- not particularly surprising, firefox will do the same thing with any random webpage -- trees cost memory , and features are features :)

Is XML::Simple vunlerable to a feature using too much memory? Maybe :) but that "report" is nothing more than rumor, it doesn't even mention a version number -- and XML::Simple can use at miniumum 3 different backends

Lots of those issues transcend perl/python... any language/library that interfaces to libxml2, including perl's XML::LibXML, is vulnerable to any bugs/vulnerabilities in libxml2

So if you're worried about your parser, check its documentation, check its bug cue, check the options you have turned on;

I've seen bugs reported, and I've seen them get fixed, this is the cycle of software :)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1025458]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2016-10-22 13:46 GMT
Find Nodes?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?

    Results (294 votes). Check out past polls.