[Python-Dev] Status of XML fixes

Eli Bendersky eliben at gmail.com
Sun Mar 17 19:25:19 CET 2013

I like to give an update on the XML vulnerability fixes. Brett has asked

> me a couple of days ago but I haven't had time to answer. I was/am busy
> with my daily job.
> Any attempt to fix the XML issues *will* change the behavior of the
> library and result into an incompatibility with older releases. Benjamin
> doesn't want to change the behavior of our XML libraries. IIRC Georg and
> Barry are +0. I think that we should keep the current and unsafe
> settings as default and add a simmple API to enable limitations and
> protections.
IMHO Benjamin is right, given that this attack has been known to exist
since 2003. Moreover, as it appears that no changes whatsoever are going to
make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed.
As for 3.4, it can't hurt to add an opt-in option for a safe mode to the
affected libraries.

* review of the changes to expat, pyexpat and _elementtree. Antoine,

> Brett and Fred Drake have done some reviews.
I'll gladly review the _elementtree changes and can help with the expat &
pyexpat changes as well. Until now I had the impression that the patches
aren't ready for review yet. If they are, that's great.

Do you have a patch in the issue tracker (so it can be reviewed with
Rietveld)? ISTM the current form is just a file (say _elementtree.c) in
your Bitbucket repo. Should that be just diffed with the trunk file to see
the changes?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130317/2388fc54/attachment.html>

More information about the Python-Dev mailing list