[Python-Dev] Status of XML fixes (original) (raw)

Christian Heimes christian at python.org
Sun Mar 17 17:37:37 CET 2013

• Previous message: [Python-Dev] 2.7.4 is inevitable
• Next message: [Python-Dev] Status of XML fixes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I like to give an update on the XML vulnerability fixes. Brett has asked me a couple of days ago but I haven't had time to answer. I was/am busy with my daily job.

Any attempt to fix the XML issues will change the behavior of the library and result into an incompatibility with older releases. Benjamin doesn't want to change the behavior of our XML libraries. IIRC Georg and Barry are +0. I think that we should keep the current and unsafe settings as default and add a simmple API to enable limitations and protections.

What's available?

https://bitbucket.org/tiran/defusedexpat contains everything we need to fix the issues in the stdlib. All modifications to C code are available for all relevant Python versions. They have been tested on Linux and Windows, too.

• modified expat library with checks and workarounds for entity expansion attacks. All fixes can be enabled or disabled by default at compile time. The default settings can also be configured globally (process wide, may be an issue for subinterpreters) and overwritten on the expat parser instance.

• patched copies of pyexpat and _elementtree C extensions from Python 2.6, 2.7, 3.1, 3.2, 3.3 and 3.4 (a separate copy of each version). The patches provide the functions and attributes to modifiy the global and instance settings.

• defusedexpat.py contains the patches for sax and dom parsers to disable external entity parsing.

• http://bugs.python.org/issue17239 contains an old patch for the issues with a bunch of tests for each issue.

What needs to be done?

• agree on default settings: secure by default or backwards compatible by default?

• review of the changes to expat, pyexpat and _elementtree. Antoine, Brett and Fred Drake have done some reviews.

• design and implement an API to enable the protective restrictions.

• documentation

• perhaps more tests

• finish the CVE reports

In the mean time ...

https://pypi.python.org/pypi/defusedxml provides documentation, examples and fixes for all Python versions w/o any C extension.

Christian

• Previous message: [Python-Dev] 2.7.4 is inevitable
• Next message: [Python-Dev] Status of XML fixes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list