为何xml.etree.ElementTree不安全?
作者:互联网
根据Creating a simple XML file using python,用Python生成XML文件的最简单方法之一就是使用Python的内置ElementTree XML API.
但是,the Python 3 documentation包含以下警告:
Warning: The 07002 module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see 07003.
我曾计划使用ElementTree库来构造具有用户输入的属性值的XML请求.但是,我现在担心我的应用程序的安全性.
例如,我的应用程序具有一个logon()函数,该函数带有用于用户输入的用户名和密码的参数.这些值然后用作XML属性.
import xml.etree.ElementTree as ET
def logon(username, password):
# Create XML logon request for external webservice
root = ET.Element("xml")
body = ET.SubElement(root, "Logon")
body.set("Username", username)
body.set("Password", password)
return ET.tostring(root, encoding="UTF-8", method="xml")
为什么xml.etree.ElementTree不安全?与用户定义的XML属性值一起使用是否安全?
解决方法:
根据Python文档的20.4.1. XML vulnerabilities节,xml.etree.ElementTree容易受到Billion Laughs攻击和二次爆炸的攻击.
billion laughs / exponential entity expansion
The Billion Laughs attack – also known as exponential entity expansion – uses multiple levels of nested entities. Each entity refers to another entity several times, and the final entity definition contains a small string. The exponential expansion results in several gigabytes of text and consumes lots of memory and CPU time.
quadratic blowup entity expansion
A quadratic blowup attack is similar to a Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn’t as efficient as the exponential case but it avoids triggering parser countermeasures that forbid deeply-nested entities.
只要您不解析恶意制作的XML,就可以保证安全.
标签:security,elementtree,xml,python 来源: https://codeday.me/bug/20191110/2015235.html