[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)


Hi,

The Python bug tracker is full of bugs, and sadly we don't have enough
people to take care of all of them. There are 3 open bugs about
security issues in XML and I simply propose to close it:

   https://bugs.python.org/issue17318
   https://bugs.python.org/issue17239
   https://bugs.python.org/issue24238

The XML documentation already starts with a red warning explaining the
security limitations of the Python implementation and points to
defusedxml and defusedexpat which are existing and working
counter-measures:

   https://docs.python.org/dev/library/xml.html

Note: Christian Heimes, author of these 2 packages, told me that these
modules may not work on Python 3.7, he didn't have time to maintain
them recently. Maybe someone might want to help him?

I suggest to close the 3 Python bugs without doing anything. Are you
ok with that? Keeping the issue open for 3 years doesn't help anyone,
and there is already a security warning in all supported version (I
checked 2.7 and 3.4).

It seems like XML is getting less popular because of JSON becoming
more popular (even if JSON obviously comes with its own set of
security issues...). It seems like less core developers care about XML
(today than 3 years ago).

We should just accept that core developers have limited availability
and that documenting security issues is an *acceptable* trade-off. I
don't see any value of keeping these 3 issues open.

Victor