[Python-Dev] Status of XML fixes (original) (raw)
Eli Bendersky eliben at gmail.com
Sun Mar 17 19:25:19 CET 2013
- Previous message: [Python-Dev] Status of XML fixes
- Next message: [Python-Dev] Status of XML fixes
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I like to give an update on the XML vulnerability fixes. Brett has asked
me a couple of days ago but I haven't had time to answer. I was/am busy with my daily job.
Any attempt to fix the XML issues will change the behavior of the library and result into an incompatibility with older releases. Benjamin doesn't want to change the behavior of our XML libraries. IIRC Georg and Barry are +0. I think that we should keep the current and unsafe settings as default and add a simmple API to enable limitations and protections. IMHO Benjamin is right, given that this attack has been known to exist since 2003. Moreover, as it appears that no changes whatsoever are going to make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed. As for 3.4, it can't hurt to add an opt-in option for a safe mode to the affected libraries.
- review of the changes to expat, pyexpat and _elementtree. Antoine,
Brett and Fred Drake have done some reviews.
I'll gladly review the _elementtree changes and can help with the expat & pyexpat changes as well. Until now I had the impression that the patches aren't ready for review yet. If they are, that's great.
Do you have a patch in the issue tracker (so it can be reviewed with Rietveld)? ISTM the current form is just a file (say _elementtree.c) in your Bitbucket repo. Should that be just diffed with the trunk file to see the changes?
Eli -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130317/2388fc54/attachment.html>
- Previous message: [Python-Dev] Status of XML fixes
- Next message: [Python-Dev] Status of XML fixes
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]