summaryrefslogtreecommitdiffstats
path: root/Doc/library/xml.rst
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2013-10-12 16:19:48 (GMT)
committerGeorg Brandl <georg@python.org>2013-10-12 16:19:48 (GMT)
commit32b2c62db43296571ee7ebefd845516106c5abea (patch)
tree055f50b8a0772fd28e45a548186e4a0fa9102330 /Doc/library/xml.rst
parent42840f017d7345c83e907208a3d7d476557ea4ed (diff)
parent57f936ecdea75cfa1a7edee72fbca41b7d814796 (diff)
downloadcpython-32b2c62db43296571ee7ebefd845516106c5abea.zip
cpython-32b2c62db43296571ee7ebefd845516106c5abea.tar.gz
cpython-32b2c62db43296571ee7ebefd845516106c5abea.tar.bz2
merge with 3.3
Diffstat (limited to 'Doc/library/xml.rst')
-rw-r--r--Doc/library/xml.rst12
1 files changed, 7 insertions, 5 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index d255f7f..d796d82 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities.
+The following table gives an overview of the known attacks and if the various
+modules are vulnerable to them.
========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== =========
-billion laughs **True** **True** **True** **True** **True**
-quadratic blowup **True** **True** **True** **True** **True**
-external entity expansion **True** False (1) False (2) **True** False (3)
-DTD retrieval **True** False False **True** False
-decompression bomb False False False False **True**
+billion laughs **Yes** **Yes** **Yes** **Yes** **Yes**
+quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes**
+external entity expansion **Yes** No (1) No (2) **Yes** No (3)
+DTD retrieval **Yes** No No **Yes** No
+decompression bomb No No No No **Yes**
========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a