bpo-17239: Disable external entities in SAX parser #9217
Conversation
tiran
force-pushed
the
bpo17239-sax-ges
branch
from
686acbb to
3314077
Compare
|
Since default functionality is changing, should this be included in the |
Doc/library/xml.rst
Outdated
| @@ -75,6 +75,7 @@ decompression bomb Safe Safe Safe S | |||
| 2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns | |||
| the unexpanded entity verbatim. | |||
| 3. :mod:`xmlrpclib` doesn't expand external entities and omits them. | |||
| 4. External general entities are no longer processed by default. | |||
There was a problem hiding this comment.
Maybe elaborate on "no longer" (just mention Python 3.8?).
| @@ -0,0 +1,3 @@ | |||
| The sax parser no longer processes external entities by default. External | |||
There was a problem hiding this comment.
I suggest "The XML save parser". It's not obvious that sax is related to XML if you are not used to XML.
tiran
force-pushed
the
bpo17239-sax-ges
branch
2 times, most recently
from
15bf855 to
dd8ee7e
Compare
|
LGTM |
Doc/library/xml.rst
Outdated
| @@ -75,6 +75,8 @@ decompression bomb Safe Safe Safe S | |||
| 2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns | |||
| the unexpanded entity verbatim. | |||
| 3. :mod:`xmlrpclib` doesn't expand external entities and omits them. | |||
| 4. External general entities are no longer processed by default since Python | |||
| 2.7.16, 3.6.7, 3.7.1, and 3.8.0. | |||
There was a problem hiding this comment.
You might only list 3.8.0, but complete this table once we fixed other branches.
I'm not sure about backporting this backward incompatible change to other branches, but if we do it, we should also fix 3.4 and 3.5, no?
tiran
force-pushed
the
bpo17239-sax-ges
branch
3 times, most recently
from
d8125c2 to
55db8ce
Compare
The xml.sax and xml.dom.minidom parsers no longer processes external entities to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]>
tiran
force-pushed
the
bpo17239-sax-ges
branch
from
55db8ce to
0c8828c
Compare
|
@tiran: Status check is done, and it's a success ✅ . |
|
Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7. |
|
Sorry, @tiran, I could not cleanly backport this to |
|
Sorry, @tiran, I could not cleanly backport this to |
|
Sorry, @tiran, I could not cleanly backport this to |
|
GH-9511 is a backport of this pull request to the 3.7 branch. |
|
GH-9512 is a backport of this pull request to the 3.6 branch. |
The SAX parser no longer processes general external entities by default
to increase security. Before, the parser created network connections
to fetch remote files or loaded local files from the file system for DTD
and entities.
Signed-off-by: Christian Heimes [email protected]
https://bugs.python.org/issue17239