From c6d69c12ea7ee9ad35abc7dbf95e00d624d0df5d Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Mon, 11 Feb 2013 21:54:53 -0700 Subject: Restrict the XML deserializer to prevent network and entity-expansion DoS attacks. This is a security fix. Disclosure and advisory coming shortly. --- tests/regressiontests/serializers_regress/tests.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'tests') diff --git a/tests/regressiontests/serializers_regress/tests.py b/tests/regressiontests/serializers_regress/tests.py index 67aec08af2..e586d76e7f 100644 --- a/tests/regressiontests/serializers_regress/tests.py +++ b/tests/regressiontests/serializers_regress/tests.py @@ -10,6 +10,7 @@ from __future__ import absolute_import, unicode_literals import datetime import decimal +from django.core.serializers.xml_serializer import DTDForbidden try: import yaml @@ -514,3 +515,17 @@ for format in serializers.get_serializer_formats(): if format != 'python': setattr(SerializerTests, 'test_' + format + '_serializer_stream', curry(streamTest, format)) + +class XmlDeserializerSecurityTests(TestCase): + + def test_no_dtd(self): + """ + The XML deserializer shouldn't allow a DTD. + + This is the most straightforward way to prevent all entity definitions + and avoid both external entities and entity-expansion attacks. + + """ + xml = '' + with self.assertRaises(DTDForbidden): + next(serializers.deserialize('xml', xml)) -- cgit v1.3