[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
vstinner at redhat.com
Thu Sep 6 10:58:02 EDT 2018
Are you volunteer to fix the XML modules?
Le jeu. 6 sept. 2018 à 16:50, Antoine Pitrou <antoine at python.org> a écrit :
> Le 06/09/2018 à 16:40, Victor Stinner a écrit :
> > Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a écrit :
> >> If we consider fixing these issues to be desirable, then the issues
> >> should be kept open. Closing issues because no-one is working on them
> >> sounds a bit silly to me.
> > I forgot to mention that closing these issues is my reply to Larry's
> > call to fix 3 security issues:
> > https://mail.python.org/pipermail/python-committers/2018-August/006031.html
> > Larry wrote "If they're really all wontfix, maybe we should mark them
> > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
> > For these XML issues, the security vulnerabilities can also been seen
> > as XML features. Loading an external DTD is part of the XML
> > specification, as well as entity expansion.
> That doesn't mean there shouldn't be any hard limits to expansion depth
> or breadth.
> Function calls are a Python feature, yet we limit the amount of
> recursion allowed.
> Python-Dev mailing list
> Python-Dev at python.org
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/vstinner%40redhat.com
More information about the Python-Dev