diff options
| author | Zackery Spytz <zspytz@gmail.com> | 2020-09-04 20:57:48 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-04 20:57:48 (GMT) |
| commit | 51b84f8e96a441c498210f827c1297ee4973525f (patch) | |
| tree | 9247f8a91acfe8dc17b492c4861c86f6546194fa /Doc/library/xml.rst | |
| parent | 84a7917b4c9afec07575065cffa143b91fe98c14 (diff) | |
| download | cpython-51b84f8e96a441c498210f827c1297ee4973525f.zip cpython-51b84f8e96a441c498210f827c1297ee4973525f.tar.gz cpython-51b84f8e96a441c498210f827c1297ee4973525f.tar.bz2 | |
bpo-38585: Remove references to defusedexpat (GH-22095)
defusedexpat is not maintained.
Diffstat (limited to 'Doc/library/xml.rst')
| -rw-r--r-- | Doc/library/xml.rst | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst index fb86b6f..1981cab 100644 --- a/Doc/library/xml.rst +++ b/Doc/library/xml.rst @@ -20,7 +20,7 @@ Python's interfaces for processing XML are grouped in the ``xml`` package. The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the :ref:`xml-vulnerabilities` and - :ref:`defused-packages` sections. + :ref:`defusedxml-package` sections. It is important to note that modules in the :mod:`xml` package require that there be at least one SAX-compliant XML parser available. The Expat parser is @@ -113,9 +113,9 @@ decompression bomb The documentation for `defusedxml`_ on PyPI has further information about all known attack vectors with examples and references. -.. _defused-packages: +.. _defusedxml-package: -The :mod:`defusedxml` and :mod:`defusedexpat` Packages +The :mod:`defusedxml` Package ------------------------------------------------------ `defusedxml`_ is a pure Python package with modified subclasses of all stdlib @@ -124,16 +124,8 @@ package is recommended for any server code that parses untrusted XML data. The package also ships with example exploits and extended documentation on more XML exploits such as XPath injection. -`defusedexpat`_ provides a modified libexpat and a patched -:mod:`pyexpat` module that have countermeasures against entity expansion -DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity -expansions. The modifications may be included in some future release of Python, -but will not be included in any bugfix releases of -Python because they break backward compatibility. - .. _defusedxml: https://pypi.org/project/defusedxml/ -.. _defusedexpat: https://pypi.org/project/defusedexpat/ .. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _DTD: https://en.wikipedia.org/wiki/Document_type_definition |