[issue17239] XML vulnerabilities in Python
Christian Heimes
report at bugs.python.org
Tue Sep 18 10:14:29 EDT 2018
Christian Heimes <lists at cheimes.de> added the comment:
> * only Windows and macOS will get the fix
Modules/expat can be used on all platforms. A downstream patch is only a problem for platforms that compile Python with "./configure --with-system-expat".
The security fixes for entity expansion blowup and external entity loading are backwards incompatible fixes. Technically they also violate XML standards. In practice the vast majority of users will never run into the issue, because external entities are scarcely used. The expat parser is a non-validating XML parser, so DTDs aren't useful at all. I'd rather break a handful of users than to keep the majority of users vulnerable.
To fix billion laughs and quadratic blowup once and for all, we also have to break backwards compatibility and require expat >= 2.3.0. For now the modules still work with old versions of expat. IMO it's fine. Vendors either have to update their libraries or use our copy of expat.
Ultimately it's Benjamin's, Larry's, and Ned's decision. They are release managers.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue17239>
_______________________________________
More information about the Python-bugs-list
mailing list