On 06/09/2018 07.18, Victor Stinner wrote: > Hi, > > The Python bug tracker is full of bugs, and sadly we don't have enough > people to take care of all of them. There are 3 open bugs about > security issues in XML and I simply propose to close it: > > https://bugs.python.org/issue17318 > https://bugs.python.org/issue17239 > https://bugs.python.org/issue24238 > > The XML documentation already starts with a red warning explaining the > security limitations of the Python implementation and points to > defusedxml and defusedexpat which are existing and working > counter-measures: > > https://docs.python.org/dev/library/xml.html > > Note: Christian Heimes, author of these 2 packages, told me that these > modules may not work on Python 3.7, he didn't have time to maintain > them recently. Maybe someone might want to help him? > > I suggest to close the 3 Python bugs without doing anything. Are you > ok with that? Keeping the issue open for 3 years doesn't help anyone, > and there is already a security warning in all supported version (I > checked 2.7 and 3.4). > > It seems like XML is getting less popular because of JSON becoming > more popular (even if JSON obviously comes with its own set of > security issues...). It seems like less core developers care about XML > (today than 3 years ago). > > We should just accept that core developers have limited availability > and that documenting security issues is an *acceptable* trade-off. I > don't see any value of keeping these 3 issues open.
Hi, during the Python core developer sprint, Steve Dower forced ^H^H^H^H^H^H convinced me into looking into the XML security bugs again. I come with fixes for all issues. However all security fixes require a change of behavior. I strongly believe that the change doesn't affect the majority of users in a negative way. For entity expansion attacks (billion laughs, quadratic blowup), the issue cannot be fixed in a libexpat callback. I decided that it's better to fix the issue in expat directly. libxml2 added limits for entity expansion many years ago, too. I created a patch for libexpat to limit nesting depths, entity length and ratio between XML data and expansion, https://github.com/libexpat/libexpat/pull/220 . The PR is a proof of concept. For the external entity and DTD bug in SAX and pulldom parser, I changed the default setting in PR https://github.com/python/cpython/pull/9217 . When accepted, the parsers no longer load and embed files from local directories or network locations. Regards, Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
