[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

Christian Heimes christian at python.org
Fri Sep 7 04:20:02 EDT 2018

On 2018-09-06 17:03, Guido van Rossum wrote:
> FWIW I'm with Antoine here -- XML is still important and I'd like us to
> go the extra mile here, not just give up because the issues have been
> inactive for a long time. We can't control what PyYAML does, but for the
> stdlib XML code, the buck stops here, and we should do the responsible
> thing.

Back in the days, I didn't push hard for the necessary fixes, because
all fixes were breaking changes. After all I'd have to disable some
features that people may have relied upon. The XML security stuff was my
first major security topic for Python, even before SipHash24. I was more
concerned not to break people's software than to keep the majority of
users safe. I have changed my opinion over the last six, seven years.

By the way I couldn't fix some problems in Python and our expat wrapper
either. The expat parser was missing features to properly implement
security measurements. I need to check if expat has been improved over
the years.

The topic is on the agenda for the core dev sprint.


More information about the Python-Dev mailing list