Simon Willison’s Weblog


Saturday, 23rd August 2008

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.

# 11:11 am / billionlaughs, dos, rails, rexml, ruby, security, xml

Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others.

# 11:12 am / billionlaughs, elliotte-rusty-harold, sax, security, xml

Film + Food & drink | (via) The Guardian’s publishing system supports tag intersections based on the URL; this page shows all film stories that also mention food. There’s even an RSS feed.

# 11:18 am / feeds, guardian, intersection, rss, tags

The Python Property Builtin. The always-educational Adam Gomaa explains the Python property built-in and shows how it can be used to improve Django’s model-based URL generation.

# 1:08 pm / adam-gomaa, django, property, python, urls