On 08/03/2021 22.02, Victor Stinner wrote: Thanks Victor!
> == XML == > > Python XML parsers have at least two known vulnerabilities: "billion > laughs" and "quadratic blowup" which are documented: > https://docs.python.org/dev/library/xml.html#xml-vulnerabilities > > The third party defusedxml module address these vulnerabilities: > https://pypi.org/project/defusedxml/ > > But Python remains unsafe by default, issue reported 8 years ago: > https://bugs.python.org/issue17239 I still maintain defusedxml and just released a new version earlier this week. A couple of years ago I also worked on fixing libexpat (the parser used by Python's stdlib), https://github.com/libexpat/libexpat/issues/46 . To move forward somebody could finish my patch for libexpat and then hook it up in Python's stdlib. I have no interest to work on the matter. My days of XML processing are long gone. Fixing it for "fame and glory" doesn't motivate me either. Christian _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/6WL35XOFMNKDVMRSTQHQQTLOSBBMIARR/ Code of Conduct: http://python.org/psf/codeofconduct/
