Hi, On Tue, Mar 26, 2013 at 6:53 PM, christian.heimes <python-check...@python.org> wrote: > http://hg.python.org/cpython/rev/e87364449954 > changeset: 82973:e87364449954 > branch: 2.7 > parent: 82963:d321885ff8f3 > user: Christian Heimes <christ...@cheimes.de> > date: Tue Mar 26 17:53:05 2013 +0100 > summary: > Issue 17538: Document XML vulnerabilties > > [...] > > diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst > new file mode 100644 > --- /dev/null > +++ b/Doc/library/xml.rst > @@ -0,0 +1,131 @@ > +.. _xml: > + > +XML Processing Modules > +====================== > + > +.. module:: xml > + :synopsis: Package containing XML processing modules > +.. sectionauthor:: Christian Heimes <christ...@python.org> > +.. sectionauthor:: Georg Brandl <ge...@python.org> > + > + > +Python's interfaces for processing XML are grouped in the ``xml`` package. > + > +.. warning:: > + > + The XML modules are not secure against erroneous or maliciously > + constructed data. If you need to parse untrusted or unauthenticated data > see > + :ref:`xml-vulnerabilities`. > + > +It is important to note that modules in the :mod:`xml` package require that > +there be at least one SAX-compliant XML parser available. The Expat parser is > +included with Python, so the :mod:`xml.parsers.expat` module will always be > +available. > + > +The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the > +definition of the Python bindings for the DOM and SAX interfaces. > + > +The XML handling submodules are: > + > +* :mod:`xml.etree.ElementTree`: the ElementTree API, a simple and lightweight
Something is missing here ^ > + > +.. > + > +* :mod:`xml.dom`: the DOM API definition > +* :mod:`xml.dom.minidom`: a lightweight DOM implementation > +* :mod:`xml.dom.pulldom`: support for building partial DOM trees > + > +.. > + > +* :mod:`xml.sax`: SAX2 base classes and convenience functions > +* :mod:`xml.parsers.expat`: the Expat parser binding > + > + > +.. _xml-vulnerabilities: > + > [...] > + > +defused packages > +---------------- > + > +`defusedxml`_ is a pure Python package with modified subclasses of all stdlib > +XML parsers that prevent any potentially malicious operation. The courses of > +action are recommended for any server code that parses untrusted XML data. This last sentence doesn't make much sense to me. Is it even correct? > The > +package also ships with example exploits and an extended documentation on > more > +XML exploits like xpath injection. > + > +`defusedexpat`_ provides a modified libexpat and patched replacment s/replacment/replacement/ > +:mod:`pyexpat` extension module with countermeasures against entity expansion > +DoS attacks. Defusedexpat still allows a sane and configurable amount of > entity > +expansions. The modifications will be merged into future releases of Python. > + > +The workarounds and modifications are not included in patch releases as they > +break backward compatibility. After all inline DTD and entity expansion are > +well-definied XML features. s/definied/defined/ > + > + > +.. _defusedxml: <https://pypi.python.org/pypi/defusedxml/> > +.. _defusedexpat: <https://pypi.python.org/pypi/defusedexpat/> > +.. _Billion Laughs: http://en.wikipedia.org/wiki/Billion_laughs > +.. _ZIP bomb: http://en.wikipedia.org/wiki/Zip_bomb > +.. _DTD: http://en.wikipedia.org/wiki/Document_Type_Definition > [...] Best Regards, Ezio Melotti _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com