This repository has been archived by the owner on Jul 24, 2023. It is now read-only.
Yadis XRDS parser vulnerable to various XML DoS attacks #66
Comments
|
I submitted a PR to fix this: #73 Alternatively, you can use https://github.com/udacity/python-openid which has the patch already merged. |
|
This should be fix now. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The Yadis XRDS parsing code is vulnerable to various XML-related DoS attacks.
The offending code is openid.yardis.etxrd.parseXRDS, which relies on the XML library imported by openid.oidutil.importElementTree. The vulnerabilities one will be exposed to depends on which XML libraries are being used.
See the defusedxml Pypi page for a discussion of the various attacks, as well as the solution (e.g., use defusedxml). You can also see the issue where this was fixed in the Ruby package.
Since there seems to be no active development on this package, I have no intention of submitting a pull request to fix this issue. I am simply opening this issue so that others can be aware of the implications of using this package.
The text was updated successfully, but these errors were encountered: