diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2021-08-29 14:31:27 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-29 14:31:27 (GMT) |
| commit | c9c2a0bc9820f93f1020f3498f6893a3544c9b76 (patch) | |
| tree | 2bb6c01c9542fc1f284f5d9f1eda5760adc7f218 /Doc | |
| parent | 193443bb708cba3a72e99e61dd6615a94f22f9e1 (diff) | |
| download | cpython-c9c2a0bc9820f93f1020f3498f6893a3544c9b76.zip cpython-c9c2a0bc9820f93f1020f3498f6893a3544c9b76.tar.gz cpython-c9c2a0bc9820f93f1020f3498f6893a3544c9b76.tar.bz2 | |
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033)
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.
Co-authored-by: Ćukasz Langa <lukasz@langa.pl>
(cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/xml.rst | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst index 1981cab..e3b3516 100644 --- a/Doc/library/xml.rst +++ b/Doc/library/xml.rst @@ -60,22 +60,26 @@ circumvent firewalls. The following table gives an overview of the known attacks and whether the various modules are vulnerable to them. -========================= ============== =============== ============== ============== ============== -kind sax etree minidom pulldom xmlrpc -========================= ============== =============== ============== ============== ============== -billion laughs **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** -quadratic blowup **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** -external entity expansion Safe (4) Safe (1) Safe (2) Safe (4) Safe (3) -`DTD`_ retrieval Safe (4) Safe Safe Safe (4) Safe -decompression bomb Safe Safe Safe Safe **Vulnerable** -========================= ============== =============== ============== ============== ============== - -1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a +========================= ================== ================== ================== ================== ================== +kind sax etree minidom pulldom xmlrpc +========================= ================== ================== ================== ================== ================== +billion laughs **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) +quadratic blowup **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) +external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4) +`DTD`_ retrieval Safe (5) Safe Safe Safe (5) Safe +decompression bomb Safe Safe Safe Safe **Vulnerable** +========================= ================== ================== ================== ================== ================== + +1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and + "quadratic blowup" vulnerabilities. Items still listed as vulnerable due to + potential reliance on system-provided libraries. Check + :data:`pyexpat.EXPAT_VERSION`. +2. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a :exc:`ParserError` when an entity occurs. -2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns +3. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns the unexpanded entity verbatim. -3. :mod:`xmlrpclib` doesn't expand external entities and omits them. -4. Since Python 3.7.1, external general entities are no longer processed by +4. :mod:`xmlrpclib` doesn't expand external entities and omits them. +5. Since Python 3.7.1, external general entities are no longer processed by default. |