Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely

To: 1012482@bugs.debian.org
Cc: Andrius Merkys <merkys@debian.org>, debian-med@lists.debian.org
Subject: Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely
From: Nilesh Patra <nilesh@debian.org>
Date: Sun, 31 Jul 2022 14:42:26 +0530
Message-id: <[🔎] 20220731091226.s2xl5xrscxmod5ka@debian>
In-reply-to: <8e0bcfb3-9ad1-2c3e-4051-172614b863aa@debian.org>
References: <8e0bcfb3-9ad1-2c3e-4051-172614b863aa@debian.org>

Hi Andrius,

On Wed, 8 Jun 2022 08:59:13 +0300 Andrius Merkys <merkys@debian.org> wrote:
> Hello,
> 
> rdflib will attempt to resolve any URL in @context in POSTed JSON-LD
> messages, leading to various probing and DDoS vectors, see the upstream
> discussion [1].
> 
> [1] https://github.com/RDFLib/rdflib/issues/1844

rdflib has been removed from testing along with a bunch of other packages.
And it is triggering -rm-s for packages in testing anyway.

Upstream is not actively working on the issue as I see from the github Issue
URL. -- Do you think we can lower severity of this bug for a bit?

-- 
Best,
Nilesh

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely
  - From: Andrius Merkys <andrius.merkys@gmail.com>

Prev by Date: Re: igblast accepted - how can it be used to test igdiscover
Next by Date: Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely
Previous by thread: Re: igblast accepted - how can it be used to test igdiscover
Next by thread: Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely
Index(es):
- Date
- Thread