[Python-checkins] cpython (merge 3.3 -> default): merge with 3.3
georg.brandl
python-checkins at python.org
Sat Oct 12 18:19:02 CEST 2013
http://hg.python.org/cpython/rev/ac0cd73e13ff
changeset: 86233:ac0cd73e13ff
parent: 86231:5e756a93d83b
parent: 86232:6b0ca3963ff1
user: Georg Brandl <georg at python.org>
date: Sat Oct 12 18:19:48 2013 +0200
summary:
merge with 3.3
files:
Doc/library/xml.rst | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -53,15 +53,17 @@
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities.
+The following table gives an overview of the known attacks and if the various
+modules are vulnerable to them.
========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== =========
-billion laughs **True** **True** **True** **True** **True**
-quadratic blowup **True** **True** **True** **True** **True**
-external entity expansion **True** False (1) False (2) **True** False (3)
-DTD retrieval **True** False False **True** False
-decompression bomb False False False False **True**
+billion laughs **Yes** **Yes** **Yes** **Yes** **Yes**
+quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes**
+external entity expansion **Yes** No (1) No (2) **Yes** No (3)
+DTD retrieval **Yes** No No **Yes** No
+decompression bomb No No No No **Yes**
========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list