Opened at 2014-02-17T00:06:11Z
Last modified at 2020-10-30T12:35:44Z
#2192 closed defect
cloud backend: denial of service attacks against XML parser — at Version 4
Reported by: | daira | Owned by: | daira |
---|---|---|---|
Priority: | minor | Milestone: | undecided |
Component: | code-storage | Version: | cloud-branch |
Keywords: | DoS cloud-backend s3 security xml | Cc: | |
Launchpad Bug: |
Description (last modified by daira)
A malicious cloud service could easily cause a DoS against the storage server using some of the attacks described in https://pypi.python.org/pypi/defusedxml/. This is not a particularly serious attack as long as one storage server is associated with each cloud service and that server is running in its own virtual machine, since then the cloud service can only affect its associated storage server's virtual machine. OTOH, switching to a library that prevents these attacks would probably be straightforward.
Change History (4)
comment:1 Changed at 2014-02-17T18:48:32Z by daira
- Keywords cloud-backend s3 added; cloud removed
comment:2 Changed at 2014-02-17T18:48:45Z by daira
- Keywords xml added
comment:3 Changed at 2014-03-07T12:16:51Z by daira
- Description modified (diff)
comment:4 Changed at 2014-03-07T12:17:26Z by daira
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.