[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them) (original) (raw)
Christian Heimes christian at python.org
Fri Sep 7 04:20:02 EDT 2018
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2018-09-06 17:03, Guido van Rossum wrote:
FWIW I'm with Antoine here -- XML is still important and I'd like us to go the extra mile here, not just give up because the issues have been inactive for a long time. We can't control what PyYAML does, but for the stdlib XML code, the buck stops here, and we should do the responsible thing.
Back in the days, I didn't push hard for the necessary fixes, because all fixes were breaking changes. After all I'd have to disable some features that people may have relied upon. The XML security stuff was my first major security topic for Python, even before SipHash24. I was more concerned not to break people's software than to keep the majority of users safe. I have changed my opinion over the last six, seven years.
By the way I couldn't fix some problems in Python and our expat wrapper either. The expat parser was missing features to properly implement security measurements. I need to check if expat has been improved over the years.
The topic is on the agenda for the core dev sprint.
Christian
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]