https://github.com/python/cpython/commit/599093e2e912515c482d0dae5d6285961d65ec1a commit: 599093e2e912515c482d0dae5d6285961d65ec1a branch: 3.13 author: Miss Islington (bot) <[email protected]> committer: gpshead <[email protected]> date: 2025-11-29T07:14:23Z summary:
[3.13] gh-141994: Warn of XXE vulnerability in documentation of SAX feature `xml.sax.handler.feature_external_ges` (GH-141996) (#142073) gh-141994: Warn of XXE vulnerability in documentation of SAX feature `xml.sax.handler.feature_external_ges` (GH-141996) Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges Related to commit baa9f338971c6a13433a8232db77cd45e6b87b77 (cherry picked from commit 440bcb94560937888cd9bcb28a138acc2c6a6cbc) Co-authored-by: Sebastian Pipping <[email protected]> files: A Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst M Doc/library/xml.sax.handler.rst diff --git a/Doc/library/xml.sax.handler.rst b/Doc/library/xml.sax.handler.rst index 38ca4507d81e76..f1af7253e437b4 100644 --- a/Doc/library/xml.sax.handler.rst +++ b/Doc/library/xml.sax.handler.rst @@ -96,6 +96,14 @@ for the feature and property names. .. data:: feature_external_ges + .. warning:: + + Enabling opens a vulnerability to + `external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_ + if the parser is used with user-provided XML content. + Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_ + before enabling this feature. + | value: ``"http://xml.org/sax/features/external-general-entities"`` | true: Include all external general (text) entities. | false: Do not include external general entities. diff --git a/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst new file mode 100644 index 00000000000000..c370e8a86e1766 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst @@ -0,0 +1,4 @@ +:mod:`xml.sax.handler`: Make Documentation of +:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external +entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_. +Patch by Sebastian Pipping. _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
