https://github.com/python/cpython/commit/0c17473513a180612ecdfd45baec95abb78c9c59
commit: 0c17473513a180612ecdfd45baec95abb78c9c59
branch: main
author: Sebastian Pipping <[email protected]>
committer: hugovk <[email protected]>
date: 2025-10-14T13:18:09+03:00
summary:
gh-90949: Recommend `hasattr` with Expat security methods (#139800)
files:
M Doc/library/pyexpat.rst
M Doc/library/xml.etree.elementtree.rst
diff --git a/Doc/library/pyexpat.rst b/Doc/library/pyexpat.rst
index 9aae5c9da7471d..ec25c21c300676 100644
--- a/Doc/library/pyexpat.rst
+++ b/Doc/library/pyexpat.rst
@@ -223,10 +223,10 @@ XMLParser Objects
Calling ``SetReparseDeferralEnabled(True)`` allows re-enabling reparse
deferral.
- Note that :meth:`SetReparseDeferralEnabled` has been backported to some
- prior releases of CPython as a security fix. Check for availability of
- :meth:`SetReparseDeferralEnabled` using :func:`hasattr` if used in code
- running across a variety of Python versions.
+ :meth:`!SetReparseDeferralEnabled`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
.. versionadded:: 3.13
@@ -257,6 +257,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
+ :meth:`!SetBillionLaughsAttackProtectionActivationThreshold`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
+
.. note::
Activation thresholds below 4 MiB are known to break support for DITA 1.3
@@ -288,6 +293,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
+ :meth:`!SetBillionLaughsAttackProtectionMaximumAmplification`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
+
.. note::
The maximum amplification factor is only considered if the threshold
@@ -309,6 +319,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
+ :meth:`!SetAllocTrackerActivationThreshold`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
+
.. versionadded:: next
.. method:: xmlparser.SetAllocTrackerMaximumAmplification(max_factor, /)
@@ -334,6 +349,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
+ :meth:`!SetAllocTrackerMaximumAmplification`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
+
.. note::
The maximum amplification factor is only considered if the threshold
diff --git a/Doc/library/xml.etree.elementtree.rst
b/Doc/library/xml.etree.elementtree.rst
index 00075ac2a23e6b..881708a4dd702e 100644
--- a/Doc/library/xml.etree.elementtree.rst
+++ b/Doc/library/xml.etree.elementtree.rst
@@ -1398,10 +1398,10 @@ XMLParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for
details.
- Note that :meth:`flush` has been backported to some prior releases of
- CPython as a security fix. Check for availability of :meth:`flush`
- using :func:`hasattr` if used in code running across a variety of Python
- versions.
+ :meth:`!flush`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
.. versionadded:: 3.13
@@ -1476,10 +1476,10 @@ XMLPullParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for
details.
- Note that :meth:`flush` has been backported to some prior releases of
- CPython as a security fix. Check for availability of :meth:`flush`
- using :func:`hasattr` if used in code running across a variety of Python
- versions.
+ :meth:`!flush`
+ has been backported to some prior releases of CPython as a security fix.
+ Check for availability using :func:`hasattr` if used in code running
+ across a variety of Python versions.
.. versionadded:: 3.13
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
