[Python-checkins] bpo-38585: Remove references to defusedexpat (GH-22095)
webhook-mailer at python.org
Fri Sep 4 16:57:57 EDT 2020
author: Zackery Spytz <zspytz at gmail.com>
committer: GitHub <noreply at github.com>
bpo-38585: Remove references to defusedexpat (GH-22095)
defusedexpat is not maintained.
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index fb86b6f5564d7..1981cab7cd438 100644
@@ -20,7 +20,7 @@ Python's interfaces for processing XML are grouped in the ``xml`` package.
The XML modules are not secure against erroneous or maliciously
constructed data. If you need to parse untrusted or
unauthenticated data see the :ref:`xml-vulnerabilities` and
- :ref:`defused-packages` sections.
+ :ref:`defusedxml-package` sections.
It is important to note that modules in the :mod:`xml` package require that
there be at least one SAX-compliant XML parser available. The Expat parser is
@@ -113,9 +113,9 @@ decompression bomb
The documentation for `defusedxml`_ on PyPI has further information about
all known attack vectors with examples and references.
-The :mod:`defusedxml` and :mod:`defusedexpat` Packages
+The :mod:`defusedxml` Package
`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
@@ -124,16 +124,8 @@ package is recommended for any server code that parses untrusted XML data. The
package also ships with example exploits and extended documentation on more
XML exploits such as XPath injection.
-`defusedexpat`_ provides a modified libexpat and a patched
-:mod:`pyexpat` module that have countermeasures against entity expansion
-DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity
-expansions. The modifications may be included in some future release of Python,
-but will not be included in any bugfix releases of
-Python because they break backward compatibility.
.. _defusedxml: https://pypi.org/project/defusedxml/
-.. _defusedexpat: https://pypi.org/project/defusedexpat/
.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
.. _DTD: https://en.wikipedia.org/wiki/Document_type_definition
More information about the Python-checkins