Are you volunteer to fix the XML modules?
Victor Le jeu. 6 sept. 2018 à 16:50, Antoine Pitrou <anto...@python.org> a écrit : > > > Le 06/09/2018 à 16:40, Victor Stinner a écrit : > > Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solip...@pitrou.net> a écrit : > >> If we consider fixing these issues to be desirable, then the issues > >> should be kept open. Closing issues because no-one is working on them > >> sounds a bit silly to me. > > > > I forgot to mention that closing these issues is my reply to Larry's > > call to fix 3 security issues: > > > > https://mail.python.org/pipermail/python-committers/2018-August/006031.html > > > > Larry wrote "If they're really all wontfix, maybe we should mark them > > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature." > > "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8. > > > For these XML issues, the security vulnerabilities can also been seen > > as XML features. Loading an external DTD is part of the XML > > specification, as well as entity expansion. > > That doesn't mean there shouldn't be any hard limits to expansion depth > or breadth. > > Function calls are a Python feature, yet we limit the amount of > recursion allowed. > > Regards > > Antoine. > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/vstinner%40redhat.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
