Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Improve security against maliciously constructed data

See original GitHub issue

Problem xmltodict is Expat-based, which is not secure against maliciously constructed data (it’s even mentioned on the package docs: https://docs.python.org/3.4/library/pyexpat.html).

Possible Solution There is a project that improves Expat security: defusedexpat (PyPI: https://pypi.python.org/pypi/defusedexpat/ Bitbucket: https://bitbucket.org/tiran/defusedexpat). Using it instead of regular Expat could resolve security issues.

Potential problems with implementation At this point I haven’t researched compatibility issues that may arise if xmltodict were to use defusedexpat. Will do this in the next few days.

More information https://docs.python.org/3.4/library/xml.html https://pypi.python.org/pypi/defusedxml/ https://pypi.python.org/pypi/defusedexpat/ https://en.wikipedia.org/wiki/Billion_laughs https://msdn.microsoft.com/en-us/magazine/ee335713.aspx

Let me know if there’s interest in solving this problem. Is somebody interested in forking the repo and implementing the solution or should I do this (I won’t be able to work on this until next week)?

Issue Analytics

State:
Created 8 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

iyncommented, Apr 28, 2015

Sadly, I still didn’t hear back from the defusedexpat author/maintainer. And it seems that he didn’t enable issues on Bitbucket.

I would suggest, that semi-solution could be just adding more visible info about defusedexpat in README and a note that it probably won’t work on Python 3.4 for some time.

1reaction

iyncommented, Apr 17, 2015

@martinblech Yeah, I think that would be good solution. Although I have a problem compiling defusedexpat for Python 3.4 (it works after commenting out some parts of the code, but it’s ‘hacky’ and not a proper way) - I contacted the author with the question if he plans to officially support Python 3.4.

So, I’m in favor for using defusedexpat as a default, but I’d wait for Python 3.4 support.

Top Results From Across the Web

Data Security Explained: Challenges and Solutions

This article defines data security, why it is important, and which technologies and practices can help you strengthen your data security.

Cybersecurity 101: Protect your privacy from hackers, spies ...

Data packets are encrypted before they are sent to a destination server, which also results in IP addresses and your location becoming hidden....

What is data security? The ultimate guide

Data security is the practice of safeguarding digital information from unauthorized access, accidental loss, disclosure and modification, ...

Data Protection and Privacy: 12 Ways to Protect User Data

Data protection solutions rely on technologies such as data loss prevention (DLP), storage with built-in data protection, firewalls, encryption, ...

Securing APIs: 10 Best Practices for Keeping Your Data ...

Prioritize security. · Inventory and manage your APIs. · Use a strong authentication and authorization solution. · Practice the principle of least ...