21 Feb
2013
21 Feb
'13
2:38 a.m.
On Thu, Feb 21, 2013 at 9:49 AM, Tres Seaver
Two words: "hash randomization". If it applies to one, it applies to the other.
Agreed. Christian's suggested approach sounds sane to me: - make it possible to enable safer behaviour globally in at least 2.7 and 3.3 (and perhaps in 2.6 and 3.2 security releases as well) - make the safer behaviour the default in 3.4 - make it possible to selectively disable the safeguards in all versions A *possible* alternative in to step 1 is loud warnings in the docs directing people to defusedxml, but I prefer the idea of actually making the safeguards available directly in the standard library. Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia