mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00
Code Issues 32 Releases Wiki Activity

Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.

Browse Source 
This is a security fix. Disclosure and advisory coming shortly.
This commit is contained in:
Carl Meyer
2013-02-11 21:54:53 -07:00
parent d51fb74360
commit c6d69c12ea
2 changed files with 109 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/regressiontests/serializers_regress/tests.py
View File

@@ -10,6 +10,7 @@ from __future__ import absolute_import, unicode_literals
import datetime
import decimal
from django.core.serializers.xml_serializer import DTDForbidden
try:
import yaml
@@ -514,3 +515,17 @@ for format in serializers.get_serializer_formats():
if format != 'python':
setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format))
class XmlDeserializerSecurityTests(TestCase):
def test_no_dtd(self):
"""
The XML deserializer shouldn't allow a DTD.
This is the most straightforward way to prevent all entity definitions
and avoid both external entities and entity-expansion attacks.
"""
xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "http://example.com/example.dtd">'
with self.assertRaises(DTDForbidden):
next(serializers.deserialize('xml', xml))