[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rdflib: URLInputSource can be abused to retrieve arbitrary documents if used naïvely



Hi Andrius,

On Wed, 8 Jun 2022 08:59:13 +0300 Andrius Merkys <merkys@debian.org> wrote:
> Hello,
> 
> rdflib will attempt to resolve any URL in @context in POSTed JSON-LD
> messages, leading to various probing and DDoS vectors, see the upstream
> discussion [1].
> 
> [1] https://github.com/RDFLib/rdflib/issues/1844

rdflib has been removed from testing along with a bunch of other packages.
And it is triggering -rm-s for packages in testing anyway.

Upstream is not actively working on the issue as I see from the github Issue
URL. -- Do you think we can lower severity of this bug for a bit?

-- 
Best,
Nilesh

Attachment: signature.asc
Description: PGP signature


Reply to: