p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.3.x] Don't characterize XML vulnerabilities as DoS-only.

This commit is contained in:
Carl Meyer 2013-02-19 18:23:25 -07:00
parent 747d3f0d03
commit 2378c31430
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/1.3.6.txt
View File

@ -39,12 +39,11 @@ XML deserialization
-------------------
The XML parser in the Python standard library is vulnerable to a number of
denial-of-service attacks via external entities and entity expansion. Django
uses this parser for deserializing XML-formatted database fixtures. The fixture
deserializer is not intended for use with untrusted data, but in order to err
on the side of safety in Django 1.3.6 the XML deserializer refuses to parse an
XML document with a DTD (DOCTYPE definition), which closes off these attack
avenues.
attacks via external entities and entity expansion. Django uses this parser for
deserializing XML-formatted database fixtures. The fixture deserializer is not
intended for use with untrusted data, but in order to err on the side of safety
in Django 1.3.6 the XML deserializer refuses to parse an XML document with a
DTD (DOCTYPE definition), which closes off these attack avenues.
These issues in the Python standard library are CVE-2013-1664 and
CVE-2013-1665. More information available `from the Python security team`_.