[Python-Dev] Status of XML fixes

Christian Heimes christian at python.org
Sun Mar 17 17:37:37 CET 2013 

Hello,

I like to give an update on the XML vulnerability fixes. Brett has asked
me a couple of days ago but I haven't had time to answer. I was/am busy
with my daily job.

Any attempt to fix the XML issues *will* change the behavior of the
library and result into an incompatibility with older releases. Benjamin
doesn't want to change the behavior of our XML libraries. IIRC Georg and
Barry are +0. I think that we should keep the current and unsafe
settings as default and add a simmple API to enable limitations and
protections.

What's available?
-----------------

https://bitbucket.org/tiran/defusedexpat contains everything we need to
fix the issues in the stdlib. All modifications to C code are available
for all relevant Python versions. They have been tested on Linux and
Windows, too.

* modified expat library with checks and workarounds for entity
expansion attacks. All fixes can be enabled or disabled by default at
compile time. The default settings can also be configured globally
(process wide, may be an issue for subinterpreters) and overwritten on
the expat parser instance.

* patched copies of pyexpat and _elementtree C extensions from Python
2.6, 2.7, 3.1, 3.2, 3.3 and 3.4 (a separate copy of each version). The
patches provide the functions and attributes to modifiy the global and
instance settings.

* defusedexpat.py contains the patches for sax and dom parsers to
disable external entity parsing.

* http://bugs.python.org/issue17239 contains an old patch for the issues
with a bunch of tests for each issue.


What needs to be done?
----------------------

* agree on default settings: secure by default or backwards compatible
by default?

* review of the changes to expat, pyexpat and _elementtree. Antoine,
Brett and Fred Drake have done some reviews.

* design and implement an API to enable the protective restrictions.

* documentation

* perhaps more tests

* finish the CVE reports


In the mean time ...
--------------------

https://pypi.python.org/pypi/defusedxml provides documentation, examples
and fixes for all Python versions w/o any C extension.


Christian

More information about the Python-Dev mailing list