为什么 xml.etree.ElementTree 被认为是不安全的?
Why is xml.etree.ElementTree considered insecure?
根据 Creating a simple XML file using python,在 Python 中生成 XML 文件的最简单方法之一是使用 Python的内置ElementTree XML API.
但是,the Python 3 documentation 包含以下警告:
Warning: The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.
我曾计划使用 ElementTree 库来构造 XML 具有用户输入的属性值的请求。但是,我现在担心我的应用程序的安全性。
例如,我的应用程序有一个 logon() 函数,其参数用于用户输入的用户名和密码。然后将这些值用作 XML 属性。
import xml.etree.ElementTree as ET
def logon(username, password):
# Create XML logon request for external webservice
root = ET.Element("xml")
body = ET.SubElement(root, "Logon")
body.set("Username", username)
body.set("Password", password)
return ET.tostring(root, encoding="UTF-8", method="xml")
为什么 xml.etree.ElementTree 被认为是不安全的?使用用户定义的 XML 属性值是否安全?
根据部分 20.4.1. XML vulnerabilities of the Python documentation, xml.etree.ElementTree 容易受到 Billion Laughs 攻击 和 quadratic blowup 攻击。
billion laughs / exponential entity expansion
The Billion Laughs attack – also known as exponential entity expansion – uses multiple levels of nested entities. Each entity refers to another entity several times, and the final entity definition contains a small string. The exponential expansion results in several gigabytes of text and consumes lots of memory and CPU time.
quadratic blowup entity expansion
A quadratic blowup attack is similar to a Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn’t as efficient as the exponential case but it avoids triggering parser countermeasures that forbid deeply-nested entities.
只要你不解析恶意制作的XML,你就是安全的。
根据 Creating a simple XML file using python,在 Python 中生成 XML 文件的最简单方法之一是使用 Python的内置ElementTree XML API.
但是,the Python 3 documentation 包含以下警告:
Warning: The
xml.etree.ElementTreemodule is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.
我曾计划使用 ElementTree 库来构造 XML 具有用户输入的属性值的请求。但是,我现在担心我的应用程序的安全性。
例如,我的应用程序有一个 logon() 函数,其参数用于用户输入的用户名和密码。然后将这些值用作 XML 属性。
import xml.etree.ElementTree as ET
def logon(username, password):
# Create XML logon request for external webservice
root = ET.Element("xml")
body = ET.SubElement(root, "Logon")
body.set("Username", username)
body.set("Password", password)
return ET.tostring(root, encoding="UTF-8", method="xml")
为什么 xml.etree.ElementTree 被认为是不安全的?使用用户定义的 XML 属性值是否安全?
根据部分 20.4.1. XML vulnerabilities of the Python documentation, xml.etree.ElementTree 容易受到 Billion Laughs 攻击 和 quadratic blowup 攻击。
billion laughs / exponential entity expansion
The Billion Laughs attack – also known as exponential entity expansion – uses multiple levels of nested entities. Each entity refers to another entity several times, and the final entity definition contains a small string. The exponential expansion results in several gigabytes of text and consumes lots of memory and CPU time.
quadratic blowup entity expansion
A quadratic blowup attack is similar to a Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn’t as efficient as the exponential case but it avoids triggering parser countermeasures that forbid deeply-nested entities.
只要你不解析恶意制作的XML,你就是安全的。