(original) (raw)
Thought: what if there's a label on the bug tracker meaning roughly "we're probably not going to fix this anytime soon, but we won't mind someone stepping up"?
On Thu, Sep 6, 2018, 10:04 AM Guido van Rossum <guido@python.org> wrote:
FWIW I'm with Antoine here -- XML is still important and I'd like us to go the extra mile here, not just give up because the issues have been inactive for a long time. We can't control what PyYAML does, but for the stdlib XML code, the buck stops here, and we should do the responsible thing.On Thu, Sep 6, 2018 at 7:49 AM Antoine Pitrou <antoine@python.org> wrote:
Le 06/09/2018 à 16:40, Victor Stinner a écrit :
> Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis@pitrou.net> a écrit :
>> If we consider fixing these issues to be desirable, then the issues
>> should be kept open. Closing issues because no-one is working on them
>> sounds a bit silly to me.
>
> I forgot to mention that closing these issues is my reply to Larry's
> call to fix 3 security issues:
>
> https://mail.python.org/pipermail/python-committers/2018-August/006031.html
>
> Larry wrote "If they're really all wontfix, maybe we should mark them
> as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
"wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
> For these XML issues, the security vulnerabilities can also been seen
> as XML features. Loading an external DTD is part of the XML
> specification, as well as entity expansion.
That doesn't mean there shouldn't be any hard limits to expansion depth
or breadth.
Function calls are a Python feature, yet we limit the amount of
recursion allowed.
Regards
Antoine.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
----Guido van Rossum (python.org/\~guido)\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/rymg19%40gmail.com
Ryan (ライアン)
Yoko Shimomura, ryo (supercell/EGOIST), Hiroyuki Sawano >> everyone else
https://refi64.com/