bpo-17239: Disable external entities in SAX parser (GH-9217)

The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239
author: Christian Heimes <christian@python.org> 2018-09-23 07:50:25 (GMT)
committer: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2018-09-23 07:50:25 (GMT)
commit: 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 (patch)
tree: 486acd3328d5e607bd05936fdfb73eb548d4fa90 /Doc/library/xml.rst
parent: 9fb051f032c36b9f6086b79086b4d6b7755a3d70 (diff)
download: cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.zip
cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.gz
cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.bz2
1 files changed, 4 insertions, 2 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index 63c24f8..9b8ba6b 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -65,8 +65,8 @@ kind                       sax              etree             minidom          p
 =========================  ==============   ===============   ==============   ==============   ==============
 billion laughs             **Vulnerable**   **Vulnerable**    **Vulnerable**   **Vulnerable**   **Vulnerable**
 quadratic blowup           **Vulnerable**   **Vulnerable**    **Vulnerable**   **Vulnerable**   **Vulnerable**
-external entity expansion  **Vulnerable**   Safe    (1)       Safe    (2)      **Vulnerable**   Safe    (3)
-`DTD`_ retrieval           **Vulnerable**   Safe              Safe             **Vulnerable**   Safe
+external entity expansion  Safe (4)         Safe    (1)       Safe    (2)      Safe (4)         Safe    (3)
+`DTD`_ retrieval           Safe (4)         Safe              Safe             Safe (4)         Safe
 decompression bomb         Safe             Safe              Safe             Safe             **Vulnerable**
 =========================  ==============   ===============   ==============   ==============   ==============
 
@@ -75,6 +75,8 @@ decompression bomb         Safe             Safe              Safe             S
 2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
    the unexpanded entity verbatim.
 3. :mod:`xmlrpclib` doesn't expand external entities and omits them.
+4. Since Python 3.8.0, external general entities are no longer processed by
+   default since Python.
 
 
 billion laughs / exponential entity expansion
author	Christian Heimes <christian@python.org>	2018-09-23 07:50:25 (GMT)
committer	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2018-09-23 07:50:25 (GMT)
commit	17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 (patch)
tree	486acd3328d5e607bd05936fdfb73eb548d4fa90 /Doc/library/xml.rst
parent	9fb051f032c36b9f6086b79086b4d6b7755a3d70 (diff)
download	cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.zip cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.gz cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.bz2