[Python-Dev] Status of XML fixes
eliben at gmail.com
Sun Mar 17 19:25:19 CET 2013
I like to give an update on the XML vulnerability fixes. Brett has asked
> me a couple of days ago but I haven't had time to answer. I was/am busy
> with my daily job.
> Any attempt to fix the XML issues *will* change the behavior of the
> library and result into an incompatibility with older releases. Benjamin
> doesn't want to change the behavior of our XML libraries. IIRC Georg and
> Barry are +0. I think that we should keep the current and unsafe
> settings as default and add a simmple API to enable limitations and
IMHO Benjamin is right, given that this attack has been known to exist
since 2003. Moreover, as it appears that no changes whatsoever are going to
make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed.
As for 3.4, it can't hurt to add an opt-in option for a safe mode to the
* review of the changes to expat, pyexpat and _elementtree. Antoine,
> Brett and Fred Drake have done some reviews.
I'll gladly review the _elementtree changes and can help with the expat &
pyexpat changes as well. Until now I had the impression that the patches
aren't ready for review yet. If they are, that's great.
Do you have a patch in the issue tracker (so it can be reviewed with
Rietveld)? ISTM the current form is just a file (say _elementtree.c) in
your Bitbucket repo. Should that be just diffed with the trunk file to see
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev