Guido van Rossum <gu...@python.org> added the comment:
(From PSRT list, Sebastian:) Please note that the vulnerability fix also added two new functions to the API that would be great to have xml.parsers.expat expose to the users for full control. These are: - XML_SetBillionLaughsAttackProtectionMaximumAmplification and - XML_SetBillionLaughsAttackProtectionActivationThreshold Module xml.parsers.expat.errors and its docs also needs 6 new error code entries to be complete: /* Added in 2.0. */ 38 XML_ERROR_RESERVED_PREFIX_XML 39 XML_ERROR_RESERVED_PREFIX_XMLNS 40 XML_ERROR_RESERVED_NAMESPACE_URI /* Added in 2.2.1. */ 41 XML_ERROR_INVALID_ARGUMENT /* Added in 2.3.0. */ 42 XML_ERROR_NO_BUFFER /* Added in 2.4.0. */ 43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH With regard to the table of vulnerabilities mentioned in the ticket, please note that vulnerability "quadratic blowup" is also fixed by >=2.4.0. Personally, I consider it a flavor of Billion Laughs and all know variations are covered, including that one. ---------- nosy: +gvanrossum _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue44394> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
