SOAPpy: XML billion laughs attack unfixed for client
thoger opened this issue · comments
Commit 64125a2 fixes billion laughs issue in SOAPpy. However, the way forbid_*
defaults were chosen and how client and server parts call parseSOAPRPC
, client side remains vulnerable to the billion laughs attack. Malicious SOAP server can cause SOAPpy client to use excessive amount of memory and CPU time.
FWIW, the _parseSOAP
arguments seem confusing, given that ignore_ext
overlaps with forbid_*
, and that setting it to true disables not only external entities as the argument name suggests, but also internal entities.