科技回声

9 条评论

tow21将近 16 年前

Poorly written XML parsers (and I've written my fair share) are always open to DOS attacks; XML has no upper bound on element names, attribute value length, stack depth ...<a href="http://en.wikipedia.org/wiki/Billion_laughs" rel="nofollow">http://en.wikipedia.org/wiki/Billion_laughs</a>Same is mostly true of JSON parsers as well of course.If you let potentially hostile users feed arbitrary data into any of these, even a totally non-buggy, perfectly conformant parser is wide-open to being abused via DOS.

评论 #745286 未加载

评论 #745337 未加载

评论 #745457 未加载

bsaunder将近 16 年前

Here's the original press release from the company:<a href="http://www.codenomicon.com/news/press-releases/2009-08-05.shtml" rel="nofollow">http://www.codenomicon.com/news/press-releases/2009-08-05.sh...</a>And a CERT-FI advisory:<a href="http://www.cert.fi/en/reports/2009/vulnerability2009085.html" rel="nofollow">http://www.cert.fi/en/reports/2009/vulnerability2009085.html</a>Also the expat-bug and expat-discuss mailing lists were very active in January/February with seemly related issues:<a href="http://mail.libexpat.org/pipermail/expat-bugs/2009-January/thread.html" rel="nofollow">http://mail.libexpat.org/pipermail/expat-bugs/2009-January/t...</a><a href="http://mail.libexpat.org/pipermail/expat-discuss/2009-February/thread.html" rel="nofollow">http://mail.libexpat.org/pipermail/expat-discuss/2009-Februa...</a>

jcromartie将近 16 年前

The original article sounds like a scare/marketing piece:<pre><code> "Targets: Anything that uses XML"</code></pre>

DanielStraight将近 16 年前

Pretty much a useless article without some explanation of what the flaw is.

评论 #745649 未加载

sixpoint8将近 16 年前

So then there is nothing wrong with XML… There is everything wrong with a few parsers.Wouldn't a better title be "XML Parser Flaws Doom Computing World"?

cema将近 16 年前

Because of the nature of the flaw, details have not been published. (Also see the original article at <a href="http://www.codenomicon.com/labs/xml/" rel="nofollow">http://www.codenomicon.com/labs/xml/</a>) Not clear what can be done about the issue, and how bad the issue is. Should we just wait for it to be resolved?

sgoranson将近 16 年前

Pretty skeptical this flaw could be in "virtually every open-source XML library available". Seems unlikely a million brains collectively missed whatever this is.

评论 #745354 未加载

评论 #745630 未加载

jeroen将近 16 年前

"xml parser flaws"

tybris将近 16 年前

Unless they can trigger an infinite loop I'm not really worried about Java/Python based web services being affected. Any exception should be caught on a per-request basis.

9 条评论

tow21将近 16 年前

评论 #745286 未加载

评论 #745337 未加载

评论 #745457 未加载

bsaunder将近 16 年前

jcromartie将近 16 年前

The original article sounds like a scare/marketing piece:<pre><code> "Targets: Anything that uses XML"</code></pre>

DanielStraight将近 16 年前

Pretty much a useless article without some explanation of what the flaw is.

评论 #745649 未加载

sixpoint8将近 16 年前

So then there is nothing wrong with XML… There is everything wrong with a few parsers.Wouldn't a better title be "XML Parser Flaws Doom Computing World"?

cema将近 16 年前

sgoranson将近 16 年前

Pretty skeptical this flaw could be in "virtually every open-source XML library available". Seems unlikely a million brains collectively missed whatever this is.

评论 #745354 未加载

评论 #745630 未加载

jeroen将近 16 年前

"xml parser flaws"

tybris将近 16 年前

Unless they can trigger an infinite loop I'm not really worried about Java/Python based web services being affected. Any exception should be caught on a per-request basis.

XML flaws threaten 'enormous' array of apps

9 条评论

XML flaws threaten 'enormous' array of apps

9 条评论