[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them) (original) (raw)
Antoine Pitrou antoine at python.org
Thu Sep 6 10:47:09 EDT 2018
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le 06/09/2018 à 16:40, Victor Stinner a écrit :
Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solipsis at pitrou.net> a écrit :
If we consider fixing these issues to be desirable, then the issues should be kept open. Closing issues because no-one is working on them sounds a bit silly to me. I forgot to mention that closing these issues is my reply to Larry's call to fix 3 security issues: https://mail.python.org/pipermail/python-committers/2018-August/006031.html Larry wrote "If they're really all wontfix, maybe we should mark them as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
"wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
For these XML issues, the security vulnerabilities can also been seen as XML features. Loading an external DTD is part of the XML specification, as well as entity expansion.
That doesn't mean there shouldn't be any hard limits to expansion depth or breadth.
Function calls are a Python feature, yet we limit the amount of recursion allowed.
Regards
Antoine.
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]