Changes by Antoine Pitrou pit...@free.fr:
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
___
Roundup Robot added the comment:
New changeset f45902f8c7d7 by Christian Heimes in branch '3.2':
Issue 17538: Document XML vulnerabilties
http://hg.python.org/cpython/rev/f45902f8c7d7
--
___
Python tracker rep...@bugs.python.org
Éric Araujo added the comment:
Christian: there are people strongly disagreeing with the description of
minidom as “lightweight”, could you edit the libary/xml.rst file you added to
say “minimal” instead? See c2ae1ed03853 and #11379 if you want more info.
--
Roundup Robot added the comment:
New changeset 91bb6d7ae833 by Christian Heimes in branch '2.7':
Issue 17538: Document XML vulnerabilties
http://hg.python.org/cpython/rev/91bb6d7ae833
--
___
Python tracker rep...@bugs.python.org
Christian Heimes added the comment:
Benjaman and Georg, what do the RMs feel about the doc patch?
--
nosy: +benjamin.peterson, georg.brandl
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
Georg Brandl added the comment:
* I would take out the erroneous of erroneous or maliciously constructed in
the disclaimers. The odds of creating one of the bombings by chance are slim.
* The names of attacks in the table are quite opaque if you haven't heard of
them. They should be
Christian Heimes added the comment:
1. sounds fine to me
2. I can copy some text from the README.txt of defusedxml. CSV table was easier
to maintain for me. What's a good tool to create and modify sphinx tables?
3. No strong opinion here, better safe than sorry?
4. IMO the warning should
Donald Stufft added the comment:
FWIW I put the warning on all the sax pages just because there's no way to know
which page a user will go to if they are coming in via google.
--
___
Python tracker rep...@bugs.python.org
Georg Brandl added the comment:
2. That would be good. For this table the simple rst tables should be fine:
= =
head head
= =
body body
body body
= =
3. Once per XML logical handling module/package seems quite enough.
4. The warnings only link to the section
Christian Heimes added the comment:
Here we go again!
--
stage: - patch review
Added file: http://bugs.python.org/file29581/xmldocs3.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
Georg Brandl added the comment:
I still see erroneous in there... otherwise looks good to me.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
___
Roundup Robot added the comment:
New changeset e7795a178b0a by Christian Heimes in branch '3.2':
Issue 17538: Document XML vulnerabilties
http://hg.python.org/cpython/rev/e7795a178b0a
New changeset 65e8ac5f073f by Christian Heimes in branch '3.3':
Issue 17538: Document XML vulnerabilties
Hynek Schlawack added the comment:
I feel like there should be a warning in Doc/library/xml.rst too.
Is there any actual reason why we don’t ship defusedxml with Python and add an
easy way to monkeypatch so there’s as little passive barriers as possible to
use XML “safely”?
I’m sorry I
Christian Heimes added the comment:
Donald: Thanks! I'm going to look at your patch later today.
Hynek: Because the preferred way is another: use patched expat and pyexpat C
modules of defusedexpat. It's a fix on C level and still allows a sane amount
of entity expansions. defusedxml
Christian Heimes added the comment:
Updated patch with more infos and also a link to defusedexpat.
--
Added file: http://bugs.python.org/file29572/xmldocs2.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
Donald Stufft added the comment:
Update looks fine to me, I'm not the best at docs I just wanted to get at least
a jumping off point.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
Éric Araujo added the comment:
LGTM.
--
nosy: +eric.araujo
versions: +Python 3.2
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
___
___
New submission from Donald Stufft:
Here's a documentation patch (Made against the 2.7 branch) that adds warning to
the various xml modules to warn about the insecurity and points towards
defusedxml/defusedexpat.
--
components: Library (Lib), XML
files: xmldocs.diff
keywords: patch
18 matches
Mail list logo
