On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan <burak.ars...@arskom.com.tr> wrote: > On 07/15/13 16:53, Chris Angelico wrote: >> I haven't looked into the details, but there was one among a list of >> exploits that was being discussed a few months ago; it involved XML >> schemas, I think, and quite a few generic XML parsers could be tricked >> into fetching arbitrary documents. Whether this could be used for >> anything more serious than a document-viewed receipt or a denial of >> service (via latency) I don't know, but if nothing else, it's a vector >> that JSON simply doesn't have. ChrisA > > I must have missed that exploit report, can you provide a link? > > Parsing arbitrary xml documents and parsing xml schema documents and > applying xml schema semantics to these documents are two very different > operations.
I don't remember all the details; it isn't something I took particular note of, as I don't work much with XML. It was something involving either a schema declaration or a DTD or something of the sort, where normally no external lookup is required but there's an HTTP URL in there and it's possible to force that to be resolved. > Xml schemas are not "tricked" into fetching arbitrary documents, > xs:include and xs:import fetch external documents, it's a well-known > feature. If you don't want this, you should ship all of the schema > documents together and generate the schemas in a way to not include any > external references. So I'm surprised this was presented as a security > exploit. It was something that parsing a basic XML document could trigger, and in an environment where you wouldn't normally expect extra HTTP requests to be going out, hence "tricked". > Json schemas also have similar functionality: > http://json-schema.org/latest/json-schema-core.html#anchor30 > > """ > if canonical dereferencing is used, the implementation will dereference > this URI, and fetch the content at this URI; > """ > > So I don't understand how you're so sure of yourself, but to me, it > seems like Json schemas have the same attack vectors. Yes, but normal JSON data doesn't include schema references. Normal XML data can and often does. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
