[Python-checkins] bpo-38585: Remove references to defusedexpat (GH-22095)

Zackery Spytz webhook-mailer at python.org
Fri Sep 4 16:57:57 EDT 2020

commit: 51b84f8e96a441c498210f827c1297ee4973525f
branch: master
author: Zackery Spytz <zspytz at gmail.com>
committer: GitHub <noreply at github.com>
date: 2020-09-04T13:57:48-07:00

bpo-38585: Remove references to defusedexpat (GH-22095)

defusedexpat is not maintained.

M Doc/library/xml.rst

diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index fb86b6f5564d7..1981cab7cd438 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -20,7 +20,7 @@ Python's interfaces for processing XML are grouped in the ``xml`` package.
    The XML modules are not secure against erroneous or maliciously
    constructed data.  If you need to parse untrusted or
    unauthenticated data see the :ref:`xml-vulnerabilities` and
-   :ref:`defused-packages` sections.
+   :ref:`defusedxml-package` sections.
 It is important to note that modules in the :mod:`xml` package require that
 there be at least one SAX-compliant XML parser available. The Expat parser is
@@ -113,9 +113,9 @@ decompression bomb
 The documentation for `defusedxml`_ on PyPI has further information about
 all known attack vectors with examples and references.
-.. _defused-packages:
+.. _defusedxml-package:
-The :mod:`defusedxml` and :mod:`defusedexpat` Packages
+The :mod:`defusedxml` Package
 `defusedxml`_ is a pure Python package with modified subclasses of all stdlib
@@ -124,16 +124,8 @@ package is recommended for any server code that parses untrusted XML data. The
 package also ships with example exploits and extended documentation on more
 XML exploits such as XPath injection.
-`defusedexpat`_ provides a modified libexpat and a patched
-:mod:`pyexpat` module that have countermeasures against entity expansion
-DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity
-expansions. The modifications may be included in some future release of Python,
-but will not be included in any bugfix releases of
-Python because they break backward compatibility.
 .. _defusedxml: https://pypi.org/project/defusedxml/
-.. _defusedexpat: https://pypi.org/project/defusedexpat/
 .. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
 .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
 .. _DTD: https://en.wikipedia.org/wiki/Document_type_definition

More information about the Python-checkins mailing list