[Python-Dev] xml.sax and xml.dom fetch DTDs by default (was XML DoS vulnerabilities and exploits in Python)

Paul Boddie paul at boddie.org.uk
Fri Feb 22 00:47:08 CET 2013

Perhaps related to the discussion of denial-of-service vulnerabilities is the 
matter of controlling access to remote resources. I suppose that after the 
following bug was closed, no improvements were made to the standard library:


Do Python programs still visit the W3C site millions of times every day to 
download DTDs that they are not, by default, able to remember from their last 


More information about the Python-Dev mailing list