[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

Antoine Pitrou antoine at python.org
Thu Sep 6 10:47:09 EDT 2018


Le 06/09/2018 à 16:40, Victor Stinner a écrit :
> Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a écrit :
>> If we consider fixing these issues to be desirable, then the issues
>> should be kept open.  Closing issues because no-one is working on them
>> sounds a bit silly to me.
> 
> I forgot to mention that closing these issues is my reply to Larry's
> call to fix 3 security issues:
> 
> https://mail.python.org/pipermail/python-committers/2018-August/006031.html
> 
> Larry wrote "If they're really all wontfix, maybe we should mark them
> as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."

"wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.

> For these XML issues, the security vulnerabilities can also been seen
> as XML features. Loading an external DTD is part of the XML
> specification, as well as entity expansion.

That doesn't mean there shouldn't be any hard limits to expansion depth
or breadth.

Function calls are a Python feature, yet we limit the amount of
recursion allowed.

Regards

Antoine.


More information about the Python-Dev mailing list