https://github.com/python/cpython/commit/440bcb94560937888cd9bcb28a138acc2c6a6cbc commit: 440bcb94560937888cd9bcb28a138acc2c6a6cbc branch: main author: Sebastian Pipping <[email protected]> committer: gpshead <[email protected]> date: 2025-11-28T23:08:17-08:00 summary:
gh-141994: Warn of XXE vulnerability in documentation of SAX feature `xml.sax.handler.feature_external_ges` (GH-141996) Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges Related to commit baa9f338971c6a13433a8232db77cd45e6b87b77 files: A Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst M Doc/library/xml.sax.handler.rst diff --git a/Doc/library/xml.sax.handler.rst b/Doc/library/xml.sax.handler.rst index 38ca4507d81e76..f1af7253e437b4 100644 --- a/Doc/library/xml.sax.handler.rst +++ b/Doc/library/xml.sax.handler.rst @@ -96,6 +96,14 @@ for the feature and property names. .. data:: feature_external_ges + .. warning:: + + Enabling opens a vulnerability to + `external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_ + if the parser is used with user-provided XML content. + Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_ + before enabling this feature. + | value: ``"http://xml.org/sax/features/external-general-entities"`` | true: Include all external general (text) entities. | false: Do not include external general entities. diff --git a/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst new file mode 100644 index 00000000000000..c370e8a86e1766 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst @@ -0,0 +1,4 @@ +:mod:`xml.sax.handler`: Make Documentation of +:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external +entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_. +Patch by Sebastian Pipping. _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
