bpo-17239: Disable external entities in SAX parser (GH-9217)

The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239
author: Christian Heimes <christian@python.org> 2018-09-23 07:50:25 (GMT)
committer: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2018-09-23 07:50:25 (GMT)
commit: 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 (patch)
tree: 486acd3328d5e607bd05936fdfb73eb548d4fa90 /Misc
parent: 9fb051f032c36b9f6086b79086b4d6b7755a3d70 (diff)
download: cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.zip
cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.gz
cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
new file mode 100644
index 0000000..8dd0fe8
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
@@ -0,0 +1,3 @@
+The xml.sax and xml.dom.minidom parsers no longer processes external
+entities by default. External DTD and ENTITY declarations no longer
+load files or create network connections.
author	Christian Heimes <christian@python.org>	2018-09-23 07:50:25 (GMT)
committer	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2018-09-23 07:50:25 (GMT)
commit	17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 (patch)
tree	486acd3328d5e607bd05936fdfb73eb548d4fa90 /Misc
parent	9fb051f032c36b9f6086b79086b4d6b7755a3d70 (diff)
download	cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.zip cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.gz cpython-17b1d5d4e36aa57a9b25a0e694affbd1ee637e45.tar.bz2