[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Victor Stinner
vstinner at redhat.com
Thu Sep 6 10:40:16 EDT 2018
Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a écrit :
> If we consider fixing these issues to be desirable, then the issues
> should be kept open. Closing issues because no-one is working on them
> sounds a bit silly to me.
I forgot to mention that closing these issues is my reply to Larry's
call to fix 3 security issues:
https://mail.python.org/pipermail/python-committers/2018-August/006031.html
Larry wrote "If they're really all wontfix, maybe we should mark them
as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
For these XML issues, the security vulnerabilities can also been seen
as XML features. Loading an external DTD is part of the XML
specification, as well as entity expansion.
I'm also dubious about PyYAML which allows to run arbitrary Python
code in a configuration *by default*. But well, it seems like nobody
stepped in to change the default.
Victor
More information about the Python-Dev
mailing list