XML vulnerabilities

denishowe has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: XML vulnerabilities (poop) by Anonymous Monk on Mar 26, 2013 at 08:16 UTC
Has anything similar been done for Perl XML libraries? What do you mean? That "review" you linked lists Perl's XML::Simple is vulnerable to quadratic entity expansion and external entity expansion (both local and remote). it says if you turn random xml into a hash, it can eat all of your memory -- not particularly surprising, firefox will do the same thing with any random webpage -- trees cost memory , and features are features :) Is XML::Simple vunlerable to a feature using too much memory? Maybe :) but that "report" is nothing more than rumor, it doesn't even mention a version number -- and XML::Simple can use at miniumum 3 different backends Lots of those issues transcend perl/python... any language/library that interfaces to libxml2, including perl's XML::LibXML, is vulnerable to any bugs/vulnerabilities in libxml2 So if you're worried about your parser, check its documentation, check its bug cue, check the options you have turned on; I've seen bugs reported, and I've seen them get fixed, this is the cycle of software :)	[reply]

Replies are listed 'Best First'.

Re: XML vulnerabilities (poop)
by Anonymous Monk on Mar 26, 2013 at 08:16 UTC

Has anything similar been done for Perl XML libraries?

What do you mean?

That "review" you linked lists Perl's XML::Simple is vulnerable to quadratic entity expansion and external entity expansion (both local and remote).

it says if you turn random xml into a hash, it can eat all of your memory -- not particularly surprising, firefox will do the same thing with any random webpage -- trees cost memory , and features are features :)

Is XML::Simple vunlerable to a feature using too much memory? Maybe :) but that "report" is nothing more than rumor, it doesn't even mention a version number -- and XML::Simple can use at miniumum 3 different backends

Lots of those issues transcend perl/python... any language/library that interfaces to libxml2, including perl's XML::LibXML, is vulnerable to any bugs/vulnerabilities in libxml2

So if you're worried about your parser, check its documentation, check its bug cue, check the options you have turned on;

I've seen bugs reported, and I've seen them get fixed, this is the cycle of software :)

[reply]