[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Guido van Rossum
guido at python.org
Thu Sep 6 11:03:13 EDT 2018
FWIW I'm with Antoine here -- XML is still important and I'd like us to go
the extra mile here, not just give up because the issues have been inactive
for a long time. We can't control what PyYAML does, but for the stdlib XML
code, the buck stops here, and we should do the responsible thing.
On Thu, Sep 6, 2018 at 7:49 AM Antoine Pitrou <antoine at python.org> wrote:
>
> Le 06/09/2018 à 16:40, Victor Stinner a écrit :
> > Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a
> écrit :
> >> If we consider fixing these issues to be desirable, then the issues
> >> should be kept open. Closing issues because no-one is working on them
> >> sounds a bit silly to me.
> >
> > I forgot to mention that closing these issues is my reply to Larry's
> > call to fix 3 security issues:
> >
> >
> https://mail.python.org/pipermail/python-committers/2018-August/006031.html
> >
> > Larry wrote "If they're really all wontfix, maybe we should mark them
> > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
>
> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
>
> > For these XML issues, the security vulnerabilities can also been seen
> > as XML features. Loading an external DTD is part of the XML
> > specification, as well as entity expansion.
>
> That doesn't mean there shouldn't be any hard limits to expansion depth
> or breadth.
>
> Function calls are a Python feature, yet we limit the amount of
> recursion allowed.
>
> Regards
>
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/guido%40python.org
>
--
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180906/821c6351/attachment-0001.html>
More information about the Python-Dev
mailing list