[issue17239] XML vulnerabilities in Python

Change by STINNER Victor : -- nosy: -vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

Change by Eryk Sun : -- components: +Library (Lib), XML versions: +Python 3.7, Python 3.9 ___ Python tracker ___ ___

[issue17239] XML vulnerabilities in Python

Change by Eryk Sun : -- Removed message: https://bugs.python.org/msg405689 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue17239] XML vulnerabilities in Python

Change by Eryk Sun : -- Removed message: https://bugs.python.org/msg405686 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue17239] XML vulnerabilities in Python

Change by Eryk Sun : -- nosy: +Arfrever, barry, benjamin.peterson, christian.heimes, eli.bendersky, ezio.melotti, franck, georg.brandl, jwilk, larry, martin.panter, mcepl, mitar, ned.deily, pitrou, rhettinger, rsandwick3, scoder, serhiy.storchaka, steve.dower, vstinner

[issue17239] XML vulnerabilities in Python

Ahmed Sayeed added the comment: #0 0x55befa524260 in execute_cfa_program (fde=0x621000f84c90, http://www-look-4.com/technology/peugeot-208/ insn_ptr=0x7fab8d86da86 , http://the-hunters.org/category/tech/ insn_end=0x7fab8d86da90 , gdbarch=0x621000be3d10,

[issue17239] XML vulnerabilities in Python

Ahmed Sayeed added the comment: /gdb/arch/arc.c:117:43: required from here http://www.compilatori.com/ /usr/include/c++/4.8.2/bits/hashtable_policy.h:195:39: error: no matching https://www.mktrade.fi/ function for call to ‘std::pairhttp://www-look-4.com/ target_desc_deleter> >::pair(const

[issue17239] XML vulnerabilities in Python

Change by Cheryl Sabella : -- versions: +Python 3.9 -Python 2.7, Python 3.6 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue17239] XML vulnerabilities in Python

Change by Dirkjan Ochtman : -- nosy: -djc ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

Change by Mitar : -- nosy: +mitar ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

miss-islington added the comment: New changeset 394e55a9279d17240ef6fe85d3b4ea3fe7b6dff5 by Miss Islington (bot) (Christian Heimes) in branch '3.7': [3.7] bpo-17239: Disable external entities in SAX parser (GH-9217) (GH-9511)

[issue17239] XML vulnerabilities in Python

miss-islington added the comment: New changeset 582d188e6e3487180891f1fc457a80dec8be26a8 by Miss Islington (bot) (Christian Heimes) in branch '3.6': [3.6] bpo-17239: Disable external entities in SAX parser (GH-9217) (GH-9512)

[issue17239] XML vulnerabilities in Python

Change by Christian Heimes : -- pull_requests: +8918 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

Change by Christian Heimes : -- pull_requests: +8917 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

miss-islington added the comment: New changeset 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-17239: Disable external entities in SAX parser (GH-9217)

[issue17239] XML vulnerabilities in Python

STINNER Victor added the comment: > Oh? I've updated it twice (4e21100fa7bf66e0b32146d3f46ae16afc73fee1 and > 5033aa77aacaa5505636f150e8d54baac5bdca9c), and it didn't seem so bad. I just > copied the upstream files in. Did I do it wrong? Let me remind what I did... bpo-30694 (expat 2.2.1):

[issue17239] XML vulnerabilities in Python

Benjamin Peterson added the comment: On Tue, Sep 18, 2018, at 06:39, STINNER Victor wrote: > > STINNER Victor added the comment: > > > Who normally updates the vendored libexpat? > > I made the 3 latest libexpat updates, and each of them was painful :-) Oh? I've updated it twice

[issue17239] XML vulnerabilities in Python

Christian Heimes added the comment: > * only Windows and macOS will get the fix Modules/expat can be used on all platforms. A downstream patch is only a problem for platforms that compile Python with "./configure --with-system-expat". The security fixes for entity expansion blowup and

[issue17239] XML vulnerabilities in Python

STINNER Victor added the comment: > Who normally updates the vendored libexpat? I made the 3 latest libexpat updates, and each of them was painful :-) My notes on vendored libraries: https://pythondev.readthedocs.io/cpython.html#vendored-external-libraries I wrote a tool to get the version

[issue17239] XML vulnerabilities in Python

Steve Dower added the comment: There's also the view that it'll be easier to justify upstreaming a patch if it's been released and tested in a separate app. We require that all the time for Python patches, so why should we expect other projects to be different? We're totally entitled to

[issue17239] XML vulnerabilities in Python

STINNER Victor added the comment: > Any reason to not take the current patch for our vendored copy and give it > some exposure at least on platforms that rely on it (maybe just Windows)? I > don't see any reason to wait on another group to "release" it when we need to > manually apply the

[issue17239] XML vulnerabilities in Python

Steve Dower added the comment: Any reason to not take the current patch for our vendored copy and give it some exposure at least on platforms that rely on it (maybe just Windows)? I don't see any reason to wait on another group to "release" it when we need to manually apply the update to

[issue17239] XML vulnerabilities in Python

Christian Heimes added the comment: The external entity patch is ready, but the billion laughs fix need more time. I'm working with an upstream developer on a proper fix. -- nosy: +christian.heimes ___ Python tracker

[issue17239] XML vulnerabilities in Python

Ned Deily added the comment: We discussed this last week at the sprint. Christian, it would be great if you could get this merged for 3.7 and possibly 3.6 in the next 24 hours. -- ___ Python tracker

[issue17239] XML vulnerabilities in Python

Steve Dower added the comment: Ned - I don't think this is necessarily a release blocker, as we've been shipping it for a long time, but it would be nice if we can hold 3.7.1rc1 just long enough to get it in (provided Christian jumps in and says he'll get the last minor concerns on the PRs

[issue17239] XML vulnerabilities in Python

Change by Christian Heimes : -- pull_requests: +8697 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue17239] XML vulnerabilities in Python

Change by Christian Heimes : -- pull_requests: +8649 stage: needs patch -> patch review ___ Python tracker ___ ___ Python-bugs-list

[issue17239] XML vulnerabilities in Python

Matej Cepl added the comment: > I suggest to: > > * close bpo-17318 as a duplicate of this issue (bpo-17239) > * close bpo-24238 > * close this issue +1 from me. -- ___ Python tracker

[issue17239] XML vulnerabilities in Python

STINNER Victor added the comment: This issue didn't get much attention in 5 years. The XML documentation starts with a big red warning: https://docs.python.org/dev/library/xml.html The warning is present in 2.7 and 3.4 as well: https://docs.python.org/2.7/library/xml.html

[issue17239] XML vulnerabilities in Python

Change by Matej Cepl : -- nosy: +mcepl ___ Python tracker ___ ___ Python-bugs-list mailing

[issue17239] XML vulnerabilities in Python

Changes by Christian Heimes : -- nosy: -christian.heimes ___ Python tracker ___ ___

[issue17239] XML vulnerabilities in Python

Changes by Martin Panter : -- dependencies: +Avoid entity expansion attacks in Element Tree, xml.sax and xml.dom fetch DTDs by default ___ Python tracker

[issue17239] XML vulnerabilities in Python

Changes by Stefan Behnel sco...@users.sourceforge.net: -- nosy: +scoder ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___

[issue17239] XML vulnerabilities in Python

Martin Panter added the comment: I have opened Issue 24238 with a patch for Element Tree that uses my EntityDeclHandler technique, instead of patching Expat. I would be interested in other people’s thoughts on the approach. -- ___ Python tracker

[issue17239] XML vulnerabilities in Python

Martin Panter added the comment: I started looking at the lower Expat-level changes. Here are some thoughts, in the order that I thought them. :) But the end result is to investigate a different approach to disable entities in existing versions of Expat. Currently, it looks like

[issue17239] XML vulnerabilities in Python

Martin Panter added the comment: I did a rough merge with current “default” (3.5 pre-release) branch so that I can have a closer look at this issue; see xmlbomb_20150518.patch for the result. There are some bits with Argument Clinit that need perfecting: * Unsure how to convert the

[issue17239] XML vulnerabilities in Python

Changes by Jakub Wilk jw...@jwilk.net: -- nosy: +jwilk ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___ Python-bugs-list mailing list

[issue17239] XML vulnerabilities in Python

Changes by Martin Panter vadmium...@gmail.com: -- nosy: +vadmium ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___ Python-bugs-list

[issue17239] XML vulnerabilities in Python

Changes by Raynard Sandwick rsandwi...@gmail.com: -- nosy: +rsandwick3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___

[issue17239] XML vulnerabilities in Python

Benjamin Peterson added the comment: Not blocking 2.7.4 as discussed on mailing list. -- priority: release blocker - critical ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___

[issue17239] XML vulnerabilities in Python

Antoine Pitrou added the comment: Since this has dragged on for quite a while, I'm probably just going to release 2.7.4 with a pointer to defusedxml in the release notes. (docs, though, perhaps) +1 too. -- nosy: +pitrou ___ Python tracker

[issue17239] XML vulnerabilities in Python

Benjamin Peterson added the comment: Since this has dragged on for quite a while, I'm probably just going to release 2.7.4 with a pointer to defusedxml in the release notes. (docs, though, perhaps) -- ___ Python tracker rep...@bugs.python.org

[issue17239] XML vulnerabilities in Python

Raymond Hettinger added the comment: Since this has dragged on for quite a while, I'm probably just going to release 2.7.4 with a pointer to defusedxml in the release notes. (docs, though, perhaps) +1 -- nosy: +rhettinger ___ Python tracker

[issue17239] XML vulnerabilities in Python

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___

[issue17239] XML vulnerabilities in Python

Changes by Dirkjan Ochtman dirk...@ochtman.nl: -- nosy: +djc ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___ Python-bugs-list mailing

[issue17239] XML vulnerabilities in Python

Changes by Ezio Melotti ezio.melo...@gmail.com: -- nosy: +eli.bendersky, ezio.melotti ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___

[issue17239] XML vulnerabilities in Python

New submission from Christian Heimes: Experimental fix for XML vulnerabilities against default. It's NOT ready and needs lots of polishing. https://pypi.python.org/pypi/defusedxml contains explanations of all issues https://pypi.python.org/pypi/defusedexpat is a standalone version of part of

[issue17239] XML vulnerabilities in Python

Changes by Franck Michea franck.mic...@gmail.com: -- nosy: +kushou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___ Python-bugs-list

[issue17239] XML vulnerabilities in Python

Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17239 ___ ___