I like to give an update on the XML vulnerability fixes. Brett has asked > me a couple of days ago but I haven't had time to answer. I was/am busy > with my daily job. > > Any attempt to fix the XML issues *will* change the behavior of the > library and result into an incompatibility with older releases. Benjamin > doesn't want to change the behavior of our XML libraries. IIRC Georg and > Barry are +0. I think that we should keep the current and unsafe > settings as default and add a simmple API to enable limitations and > protections. > > IMHO Benjamin is right, given that this attack has been known to exist since 2003. Moreover, as it appears that no changes whatsoever are going to make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed. As for 3.4, it can't hurt to add an opt-in option for a safe mode to the affected libraries.
* review of the changes to expat, pyexpat and _elementtree. Antoine, > Brett and Fred Drake have done some reviews. > > I'll gladly review the _elementtree changes and can help with the expat & pyexpat changes as well. Until now I had the impression that the patches aren't ready for review yet. If they are, that's great. Do you have a patch in the issue tracker (so it can be reviewed with Rietveld)? ISTM the current form is just a file (say _elementtree.c) in your Bitbucket repo. Should that be just diffed with the trunk file to see the changes? Eli
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
