Yadis XRDS parser vulnerable to various XML DoS attacks

Question

Yadis XRDS parser vulnerable to various XML DoS attacks

Closed this issue 4 years ago · 2 comments

The Yadis XRDS parsing code is vulnerable to various XML-related DoS attacks.
The offending code is openid.yardis.etxrd.parseXRDS, which relies on the XML library imported by openid.oidutil.importElementTree. The vulnerabilities one will be exposed to depends on which XML libraries are being used.

See the defusedxml Pypi page for a discussion of the various attacks, as well as the solution (e.g., use defusedxml). You can also see the issue where this was fixed in the Ruby package.

Since there seems to be no active development on this package, I have no intention of submitting a pull request to fix this issue. I am simply opening this issue so that others can be aware of the implications of using this package.

Answer 1 · 2014-01-24T15:02:52.000Z

I submitted a PR to fix this: #73

Alternatively, you can use https://github.com/udacity/python-openid which has the patch already merged.

Answer 2 · 2020-11-25T15:05:27.000Z

This should be fix now.