[New-bugs-announce] [issue29050] xml.etree.ElementTree in Python 3.6 is incompatible with defusedxml

Adam Williamson report at bugs.python.org
Thu Dec 22 12:48:46 EST 2016 

New submission from Adam Williamson:

The changes made to xml.etree.ElementTree in this commit:

https://github.com/python/cpython/commit/12a626fae80a57752ccd91ad25b5a283e18154ec

break defusedxml , Christian Heimes' library of modified parsers that's intended to be safe for parsing untrusted input. As of now, it's not possible to have defusedxml working properly with Python 3.6; its ElementTree parsers cannot work properly.

Of course, defusedxml is an external library that does 'inappropriate' things (like fiddling around with internals of the xml library). So usually this should be considered just a problem for defusedxml to deal with somehow, and indeed I've reported it there: https://github.com/tiran/defusedxml/issues/3 . That report has more details on the precise problem.

I thought it was worthwhile reporting to Python itself as well, however, for a specific reason. The Python docs for the xml library explicitly cover and endorse the use of defusedxml:

"defusedxml is a pure Python package with modified subclasses of all stdlib XML parsers that prevent any potentially malicious operation. Use of this package is recommended for any server code that parses untrusted XML data." - https://docs.python.org/3.6/library/xml.html#the-defusedxml-and-defusedexpat-packages

so as things stand, the Python 3.6 docs will explicitly recommend people use a module which does not work with Python 3.6. Is this considered a serious problem?

It also looks to me (though I'm hardly an expert) as if it might be quite difficult and ugly to fix this on the defusedxml side, and the 'nicest' fix might actually be to tweak Python's xml module back a bit more to how it was in < 3.6 (but without losing the optimization from the commit in question) so it's easier for defusedxml to get at the internals it needs...but I could well be wrong about that.

Thanks!

----------
components: XML
messages: 283854
nosy: adamwill
priority: normal
severity: normal
status: open
title: xml.etree.ElementTree in Python 3.6 is incompatible with defusedxml
type: behavior
versions: Python 3.6

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29050>
_______________________________________

More information about the New-bugs-announce mailing list