bpo-17239: Disable external entities in SAX parser#9217
bpo-17239: Disable external entities in SAX parser#9217miss-islington merged 1 commit intopython:masterfrom
Conversation
tiran
force-pushed
the
bpo17239-sax-ges
branch
from
686acbb to
3314077
Compare
|
Since default functionality is changing, should this be included in the |
vstinner
left a comment
vstinner
left a comment
There was a problem hiding this comment.
LGTM. Since there is a way to enable it in Python 3.7 and older, it's fine to change the default.
Should we change the default in Python 3.7 and older? I'm not sure about that.
Doc/library/xml.rst
Outdated
There was a problem hiding this comment.
Maybe elaborate on "no longer" (just mention Python 3.8?).
There was a problem hiding this comment.
I suggest "The XML save parser". It's not obvious that sax is related to XML if you are not used to XML.
zooba
left a comment
zooba
left a comment
There was a problem hiding this comment.
Agreed with both Cheryl and Victor's suggestions.
tiran
force-pushed
the
bpo17239-sax-ges
branch
2 times, most recently
from
15bf855 to
dd8ee7e
Compare
|
LGTM |
vstinner
left a comment
vstinner
left a comment
There was a problem hiding this comment.
LGTM, but maybe remove version numbers until they are really fixed?
Doc/library/xml.rst
Outdated
There was a problem hiding this comment.
You might only list 3.8.0, but complete this table once we fixed other branches.
I'm not sure about backporting this backward incompatible change to other branches, but if we do it, we should also fix 3.4 and 3.5, no?
tiran
force-pushed
the
bpo17239-sax-ges
branch
3 times, most recently
from
d8125c2 to
55db8ce
Compare
The xml.sax and xml.dom.minidom parsers no longer processes external entities to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]>
tiran
force-pushed
the
bpo17239-sax-ges
branch
from
55db8ce to
0c8828c
Compare
|
@tiran: Status check is done, and it's a success ✅ . |
|
Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7. |
|
Sorry, @tiran, I could not cleanly backport this to |
|
Sorry, @tiran, I could not cleanly backport this to |
|
Sorry, @tiran, I could not cleanly backport this to |
|
GH-9511 is a backport of this pull request to the 3.7 branch. |
The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <[email protected]>
The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <[email protected]>
|
GH-9512 is a backport of this pull request to the 3.6 branch. |
…H-9512) The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239
…H-9511) The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <[email protected]> https://bugs.python.org/issue17239
7 participants
The SAX parser no longer processes general external entities by default
to increase security. Before, the parser created network connections
to fetch remote files or loaded local files from the file system for DTD
and entities.
Signed-off-by: Christian Heimes [email protected]
https://bugs.python.org/issue17239