# Buildsheet autogenerated by ravenadm tool -- Do not edit. NAMEBASE= python-defusedxml VERSION= 0.7.1 KEYWORDS= python VARIANTS= v11 v12 SDESC[v11]= XML bomb protection for stdlib modules (3.11) SDESC[v12]= XML bomb protection for stdlib modules (3.12) HOMEPAGE= https://github.com/tiran/defusedxml CONTACT= Python_Automaton[python@ironwolf.systems] DOWNLOAD_GROUPS= main SITES[main]= PYPIWHL/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4 DISTFILE[1]= defusedxml-0.7.1-py2.py3-none-any.whl:main DF_INDEX= 1 SPKGS[v11]= single SPKGS[v12]= single OPTIONS_AVAILABLE= PY311 PY312 OPTIONS_STANDARD= none VOPTS[v11]= PY311=ON PY312=OFF VOPTS[v12]= PY311=OFF PY312=ON DISTNAME= defusedxml-0.7.1.dist-info GENERATED= yes [PY311].USES_ON= python:v11,wheel [PY312].USES_ON= python:v12,wheel [FILE:3457:descriptions/desc.single] =================================================== defusedxml -- defusing XML bombs and other exploits =================================================== :alt: Latest Version :alt: Supported Python versions :alt: Travis CI :alt: codecov :alt: PyPI downloads :alt: Code style: black .. "It's just XML, what could probably go wrong?" Christian Heimes Synopsis ======== The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred **Bytes** of XML data an attacker can occupy several **Gigabytes** of memory within **seconds**. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties. The attacks use and abuse less common features of XML and its parsers. The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. At best they know about ```` from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. None of the issues is new. They have been known for a long time. Billion laughs was first reported in 2003. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It's hard to say whom to blame for the situation. It's too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings. After all they properly implement XML specifications. Application developers must not rely that a library is always configured for security and potential harmful data by default. .. contents:: Table of Contents :depth: 2 Attack vectors ============== billion laughs / exponential entity expansion --------------------------------------------- The `Billion Laughs`_ attack -- also known as exponential entity expansion -- uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string lol to a string of 3 * 10 :sup:`9` bytes, hence the name "billion laughs". The resulting string occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional memory. Because most parsers don't cache the intermediate step for every expansion it is repeated over and over again. It increases the CPU load even more. An XML document of just a few hundred bytes can disrupt all services on a machine within seconds. Example XML:: ]> &d; quadratic blowup entity expansion --------------------------------- A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities. Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document. [FILE:116:distinfo] a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 25604 defusedxml-0.7.1-py2.py3-none-any.whl