[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)


Le 06/09/2018 ? 16:58, Victor Stinner a ?crit?:
> Are you volunteer to fix the XML modules?

No.  That doesn't mean nobody else will be.

Regards

Antoine.

> 
> Victor
> Le jeu. 6 sept. 2018 ? 16:50, Antoine Pitrou <antoine at python.org> a ?crit :
>>
>>
>> Le 06/09/2018 ? 16:40, Victor Stinner a ?crit :
>>> Le jeu. 6 sept. 2018 ? 16:33, Antoine Pitrou <solipsis at pitrou.net> a ?crit :
>>>> If we consider fixing these issues to be desirable, then the issues
>>>> should be kept open.  Closing issues because no-one is working on them
>>>> sounds a bit silly to me.
>>>
>>> I forgot to mention that closing these issues is my reply to Larry's
>>> call to fix 3 security issues:
>>>
>>> https://mail.python.org/pipermail/python-committers/2018-August/006031.html
>>>
>>> Larry wrote "If they're really all wontfix, maybe we should mark them
>>> as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
>>
>> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
>>
>>> For these XML issues, the security vulnerabilities can also been seen
>>> as XML features. Loading an external DTD is part of the XML
>>> specification, as well as entity expansion.
>>
>> That doesn't mean there shouldn't be any hard limits to expansion depth
>> or breadth.
>>
>> Function calls are a Python feature, yet we limit the amount of
>> recursion allowed.
>>
>> Regards
>>
>> Antoine.
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: https://mail.python.org/mailman/options/python-dev/vstinner%40redhat.com