OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)


Thought: what if there's a label on the bug tracker meaning roughly "we're
probably not going to fix this anytime soon, but we won't mind someone
stepping up"?

On Thu, Sep 6, 2018, 10:04 AM Guido van Rossum <guido at python.org> wrote:

> FWIW I'm with Antoine here -- XML is still important and I'd like us to go
> the extra mile here, not just give up because the issues have been inactive
> for a long time. We can't control what PyYAML does, but for the stdlib XML
> code, the buck stops here, and we should do the responsible thing.
>
> On Thu, Sep 6, 2018 at 7:49 AM Antoine Pitrou <antoine at python.org> wrote:
>
>>
>> Le 06/09/2018 ? 16:40, Victor Stinner a ?crit :
>> > Le jeu. 6 sept. 2018 ? 16:33, Antoine Pitrou <solipsis at pitrou.net> a
>> ?crit :
>> >> If we consider fixing these issues to be desirable, then the issues
>> >> should be kept open.  Closing issues because no-one is working on them
>> >> sounds a bit silly to me.
>> >
>> > I forgot to mention that closing these issues is my reply to Larry's
>> > call to fix 3 security issues:
>> >
>> >
>> https://mail.python.org/pipermail/python-committers/2018-August/006031.html
>> >
>> > Larry wrote "If they're really all wontfix, maybe we should mark them
>> > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."
>>
>> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.
>>
>> > For these XML issues, the security vulnerabilities can also been seen
>> > as XML features. Loading an external DTD is part of the XML
>> > specification, as well as entity expansion.
>>
>> That doesn't mean there shouldn't be any hard limits to expansion depth
>> or breadth.
>>
>> Function calls are a Python feature, yet we limit the amount of
>> recursion allowed.
>>
>> Regards
>>
>> Antoine.
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>>
> Unsubscribe:
>> https://mail.python.org/mailman/options/python-dev/guido%40python.org
>
>
>>
>
> --
> --Guido van Rossum (python.org/~guido)
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/rymg19%40gmail.com
>
-- 

Ryan (????)
Yoko Shimomura, ryo (supercell/EGOIST), Hiroyuki Sawano >> everyone else
https://refi64.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180906/32a5d82f/attachment.html>