[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

On 2018-09-06 17:03, Guido van Rossum wrote:
> FWIW I'm with Antoine here -- XML is still important and I'd like us to
> go the extra mile here, not just give up because the issues have been
> inactive for a long time. We can't control what PyYAML does, but for the
> stdlib XML code, the buck stops here, and we should do the responsible
> thing.

Back in the days, I didn't push hard for the necessary fixes, because
all fixes were breaking changes. After all I'd have to disable some
features that people may have relied upon. The XML security stuff was my
first major security topic for Python, even before SipHash24. I was more
concerned not to break people's software than to keep the majority of
users safe. I have changed my opinion over the last six, seven years.

By the way I couldn't fix some problems in Python and our expat wrapper
either. The expat parser was missing features to properly implement
security measurements. I need to check if expat has been improved over
the years.

The topic is on the agenda for the core dev sprint.