

XML flaws threaten 'enormous' array of apps - mindhacker
http://www.theregister.co.uk/2009/08/06/xml_flaws/

======
tow21
Poorly written XML parsers (and I've written my fair share) are always open to
DOS attacks; XML has no upper bound on element names, attribute value length,
stack depth ...

<http://en.wikipedia.org/wiki/Billion_laughs>

Same is mostly true of JSON parsers as well of course.

If you let potentially hostile users feed arbitrary data into any of these,
even a totally non-buggy, perfectly conformant parser is wide-open to being
abused via DOS.

~~~
roc
Somehow I'm surprised that XML/JSON libraries written since the 90s would have
the same core flaw as string libraries written in the 70s.

I know I _shouldn't be_. But here I am, surprised.

~~~
jerf
Well, they're both written in the same language. That ought to be a Big Fat
Steaming Clue (TM).

Someday, I'd like to see a nice library written in something like O'Caml or
Haskell exposed as a C interface that exists solely to be a library. I know
it's technically possible today, but it doesn't seem to have penetrated into
the public consciousness that even a C library doesn't actually have to be
written in C anymore. (It may not be slick yet, but only because people aren't
doing it, chicken and egg. There's no fundamental stopper.) I sure as hell
wouldn't write a "C" library in C if I had anything remotely resembling a
choice.

(Of course, that only solves string bobbles, not the "infinite memory
consumption required" problem, but even then those other languages can have
somewhat cleaner, clever solutions than in C.)

~~~
ajross
The face that no such libraries exist might be interpreted as a Big Fat
Steaming Clue (trademark used without license).

Language geeks need to start thinking seriously about practical infrastructure
issues before any of this happens. The existing infrastructure people aren't
going to start using Haskell simply because you tell them too.

------
bsaunder
Here's the original press release from the company:

[http://www.codenomicon.com/news/press-
releases/2009-08-05.sh...](http://www.codenomicon.com/news/press-
releases/2009-08-05.shtml)

And a CERT-FI advisory:

<http://www.cert.fi/en/reports/2009/vulnerability2009085.html>

Also the expat-bug and expat-discuss mailing lists were very active in
January/February with seemly related issues:

[http://mail.libexpat.org/pipermail/expat-
bugs/2009-January/t...](http://mail.libexpat.org/pipermail/expat-
bugs/2009-January/thread.html)

[http://mail.libexpat.org/pipermail/expat-
discuss/2009-Februa...](http://mail.libexpat.org/pipermail/expat-
discuss/2009-February/thread.html)

------
jcromartie
The original article sounds like a scare/marketing piece:

    
    
        "Targets: Anything that uses XML"

------
DanielStraight
Pretty much a useless article without some explanation of what the flaw is.

~~~
kevindication
Agreed. Also: "3-dimensional programs" are affected!

------
sixpoint8
So then there is nothing wrong with XML… There is everything wrong with a few
parsers.

Wouldn't a better title be "XML Parser Flaws Doom Computing World"?

------
cema
Because of the nature of the flaw, details have not been published. (Also see
the original article at <http://www.codenomicon.com/labs/xml/>) Not clear what
can be done about the issue, and how bad the issue is. Should we just wait for
it to be resolved?

------
sgoranson
Pretty skeptical this flaw could be in "virtually every open-source XML
library available". Seems unlikely a million brains collectively missed
whatever this is.

~~~
jrockway
You are underestimating how easy it is to write insecure C code.

But it would be nice to know if this is expat, libxml2, or what.

------
jeroen
"xml parser flaws"

------
tybris
Unless they can trigger an infinite loop I'm not really worried about
Java/Python based web services being affected. Any exception should be caught
on a per-request basis.

