Skip to content
Browse files

[1.4.x] Restrict the XML deserializer to prevent network and entity-e…

…xpansion DoS attacks.

This is a security fix. Disclosure and advisory coming shortly.
  • Loading branch information...
carljm committed Feb 12, 2013
1 parent 9936fdb commit 1c60d07ba23e0350351c278ad28d0bd5aa410b40
Showing with 108 additions and 1 deletion.
  1. +94 −1 django/core/serializers/
  2. +14 −0 tests/regressiontests/serializers_regress/
@@ -8,6 +8,8 @@
from django.utils.xmlutils import SimplerXMLGenerator
from django.utils.encoding import smart_unicode
from xml.dom import pulldom
from xml.sax import handler
from xml.sax.expatreader import ExpatParser as _ExpatParser

class Serializer(base.Serializer):
@@ -149,9 +151,13 @@ class Deserializer(base.Deserializer):

def __init__(self, stream_or_string, **options):
super(Deserializer, self).__init__(stream_or_string, **options)
self.event_stream = pulldom.parse(
self.event_stream = pulldom.parse(, self._make_parser())
self.db = options.pop('using', DEFAULT_DB_ALIAS)

def _make_parser(self):
"""Create a hardened XML parser (no custom/external entities)."""
return DefusedExpatParser()

def next(self):
for event, node in self.event_stream:
if event == "START_ELEMENT" and node.nodeName == "object":
@@ -290,3 +296,90 @@ def getInnerText(node):
return u"".join(inner_text)

# Below code based on Christian Heimes' defusedxml

class DefusedExpatParser(_ExpatParser):
An expat parser hardened against XML bomb attacks.
Forbids DTDs, external entity references
def __init__(self, *args, **kwargs):
_ExpatParser.__init__(self, *args, **kwargs)
self.setFeature(handler.feature_external_ges, False)
self.setFeature(handler.feature_external_pes, False)

def start_doctype_decl(self, name, sysid, pubid, has_internal_subset):
raise DTDForbidden(name, sysid, pubid)

def entity_decl(self, name, is_parameter_entity, value, base,
sysid, pubid, notation_name):
raise EntitiesForbidden(name, value, base, sysid, pubid, notation_name)

def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name):
# expat 1.2
raise EntitiesForbidden(name, None, base, sysid, pubid, notation_name)

def external_entity_ref_handler(self, context, base, sysid, pubid):
raise ExternalReferenceForbidden(context, base, sysid, pubid)

def reset(self):
parser = self._parser
parser.StartDoctypeDeclHandler = self.start_doctype_decl
parser.EntityDeclHandler = self.entity_decl
parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl
parser.ExternalEntityRefHandler = self.external_entity_ref_handler

class DefusedXmlException(ValueError):
"""Base exception."""
def __repr__(self):
return str(self)

class DTDForbidden(DefusedXmlException):
"""Document type definition is forbidden."""
def __init__(self, name, sysid, pubid):
super(DTDForbidden, self).__init__() = name
self.sysid = sysid
self.pubid = pubid

def __str__(self):
tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
return tpl.format(, self.sysid, self.pubid)

class EntitiesForbidden(DefusedXmlException):
"""Entity definition is forbidden."""
def __init__(self, name, value, base, sysid, pubid, notation_name):
super(EntitiesForbidden, self).__init__() = name
self.value = value
self.base = base
self.sysid = sysid
self.pubid = pubid
self.notation_name = notation_name

def __str__(self):
tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
return tpl.format(, self.sysid, self.pubid)

class ExternalReferenceForbidden(DefusedXmlException):
"""Resolving an external reference is forbidden."""
def __init__(self, context, base, sysid, pubid):
super(ExternalReferenceForbidden, self).__init__()
self.context = context
self.base = base
self.sysid = sysid
self.pubid = pubid

def __str__(self):
tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
return tpl.format(self.sysid, self.pubid)
@@ -16,6 +16,7 @@
from cStringIO import StringIO
except ImportError:
from StringIO import StringIO
from django.core.serializers.xml_serializer import DTDForbidden

import yaml
@@ -523,3 +524,16 @@ def streamTest(format, self):
if format != 'python':
setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format))

class XmlDeserializerSecurityTests(TestCase):

def test_no_dtd(self):
The XML deserializer shouldn't allow a DTD.
This is the most straightforward way to prevent all entity definitions
and avoid both external entities and entity-expansion attacks.
xml = '<?xml version="1.0" standalone="no"?><!DOCTYPE example SYSTEM "">'
self.assertRaises(DTDForbidden, serializers.deserialize('xml', xml).next)

0 comments on commit 1c60d07

Please sign in to comment.
You can’t perform that action at this time.