Dear libxml2 owners,
I am performing research about weaknesses in C open source programs. As
part of my research, I am studying weaknesses that may be vulnerabilities
in the Libxml2 project.
I found in the commit history of Libxml2 (commit 9acef28) the presence of
the following code snippet in
On 29/10/2019 14:30, Raphael de Carvalho Muniz wrote:
I found in the commit history of Libxml2 (commit 9acef28) the presence of the
following code snippet in the libxml.c file (Lines 1,597 - 1,612).
More specifically python/libxml.c which is part of the Python bindings.
I believe
that this co
Raphael,
First, the disclaimers: I'm not an XML maintainer or even a
contributor; and, I've only given this a cursory glance.
Here are my reactions.
First, the routine in question is declared to be of module static
scope. I believe that this means that any exploitation of it would have
to
I agree. I also don’t think people attack XML parsing. The sending/receiving
can be done encrypted. This seems a lot like a theoretical problem, not a
real-world problem.
My feelings are that protecting against all possible attacks is not possible.
Or stupid programming.
Take the phy
People do attack XML parsing (as well as any other input),
the encryption on the wire doesn't stop a malicious client
from crafting special input and sending it to the server.
I did a cursory look at the code and I believe Nick is correct
that the function in question is never called with a user-
You are not wrong -- I just put this issue into the unlikely to happen
category. If it was higher level and easy to do I might have another opinion.
This is like getting past the Dobermans :-)
I do have a funny story. I had a customer with a simple firewall (basically IP
rules) that cost a f
