[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Victor Stinner
vstinner at redhat.com
Thu Sep 6 10:58:02 EDT 2018
Are you volunteer to fix the XML modules?
Victor
Le jeu. 6 sept. 2018 à 16:50, Antoine Pitrou <antoine at python.org> a écrit :
>
>
> Le 06/09/2018 à 16:40, Victor Stinner a écrit :
> > Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a écrit :
> >> If we consider fixing these issues to be desirable, then the issues
> >> should be kept open. Closing issues because no-one is working on them
> >> sounds a bit silly to me.
> >
> > I forgot to mention that closing these issues is my reply to Larry's
> > call to fix 3 security issues:
> >
> > https://mail.python.org/pipermail/python-committers/2018-August/006031.html
> >
> > Larry wrote "If they're really all wontfix, maybe we should mark them
> > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
>
> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
>
> > For these XML issues, the security vulnerabilities can also been seen
> > as XML features. Loading an external DTD is part of the XML
> > specification, as well as entity expansion.
>
> That doesn't mean there shouldn't be any hard limits to expansion depth
> or breadth.
>
> Function calls are a Python feature, yet we limit the amount of
> recursion allowed.
>
> Regards
>
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/vstinner%40redhat.com
More information about the Python-Dev
mailing list