Opened at 2014-02-17T00:06:11Z
Last modified at 2020-10-30T12:35:44Z
#2192 closed defect
cloud backend: denial of service attacks against XML parser — at Initial Version
| Reported by: | daira | Owned by: | daira |
|---|---|---|---|
| Priority: | minor | Milestone: | undecided |
| Component: | code-storage | Version: | cloud-branch |
| Keywords: | DoS cloud-backend s3 security xml | Cc: | |
| Launchpad Bug: |
Description
A malicious cloud service could easily cause a DoS against the storage server using some of the attacks described in https://pypi.python.org/pypi/defusedxml/. This is not a particularly serious attack as long as one storage server is associated with each cloud service and that server is running in its own virtual machine, since then the cloud service can only affect its own storage server. OTOH, switching to a library that prevents these attacks would probably be straightforward.
Note: See
TracTickets for help on using
tickets.
