#2192 closed defect

cloud backend: denial of service attacks against XML parser — at Version 4

Reported by: daira Owned by: daira
Priority: minor Milestone: undecided
Component: code-storage Version: cloud-branch
Keywords: DoS cloud-backend s3 security xml Cc:
Launchpad Bug:

Description (last modified by daira)

A malicious cloud service could easily cause a DoS against the storage server using some of the attacks described in https://pypi.python.org/pypi/defusedxml/. This is not a particularly serious attack as long as one storage server is associated with each cloud service and that server is running in its own virtual machine, since then the cloud service can only affect its associated storage server's virtual machine. OTOH, switching to a library that prevents these attacks would probably be straightforward.

Change History (4)

comment:1 Changed at 2014-02-17T18:48:32Z by daira

  • Keywords cloud-backend s3 added; cloud removed

comment:2 Changed at 2014-02-17T18:48:45Z by daira

  • Keywords xml added

comment:3 Changed at 2014-03-07T12:16:51Z by daira

  • Description modified (diff)

comment:4 Changed at 2014-03-07T12:17:26Z by daira

  • Description modified (diff)
Note: See TracTickets for help on using tickets.