diff options
author | Ned Deily <nad@python.org> | 2021-08-31 02:35:31 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-31 02:35:31 -0400 |
commit | 910886a6448e4bf1edf49eeace4aa240b6403772 (patch) | |
tree | f3907be2308011c3a9964bfc0c13ae8a5f4fe4eb /Doc | |
parent | 8934bb0c3179e4c020cd6f08dea64bccbf56ffa2 (diff) | |
download | cpython-git-910886a6448e4bf1edf49eeace4aa240b6403772.tar.gz |
[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Ćukasz Langa <lukasz@langa.pl>.
(cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
Diffstat (limited to 'Doc')
-rw-r--r-- | Doc/library/xml.rst | 34 | ||||
-rw-r--r-- | Doc/whatsnew/3.6.rst | 2 |
2 files changed, 20 insertions, 16 deletions
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst index 9b8ba6b17c..ac92a0d3a0 100644 --- a/Doc/library/xml.rst +++ b/Doc/library/xml.rst @@ -60,23 +60,27 @@ circumvent firewalls. The following table gives an overview of the known attacks and whether the various modules are vulnerable to them. -========================= ============== =============== ============== ============== ============== -kind sax etree minidom pulldom xmlrpc -========================= ============== =============== ============== ============== ============== -billion laughs **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** -quadratic blowup **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** -external entity expansion Safe (4) Safe (1) Safe (2) Safe (4) Safe (3) -`DTD`_ retrieval Safe (4) Safe Safe Safe (4) Safe -decompression bomb Safe Safe Safe Safe **Vulnerable** -========================= ============== =============== ============== ============== ============== - -1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a +========================= ================== ================== ================== ================== ================== +kind sax etree minidom pulldom xmlrpc +========================= ================== ================== ================== ================== ================== +billion laughs **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) +quadratic blowup **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) +external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4) +`DTD`_ retrieval Safe (5) Safe Safe Safe (5) Safe +decompression bomb Safe Safe Safe Safe **Vulnerable** +========================= ================== ================== ================== ================== ================== + +1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and + "quadratic blowup" vulnerabilities. Items still listed as vulnerable due to + potential reliance on system-provided libraries. Check + :data:`pyexpat.EXPAT_VERSION`. +2. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a :exc:`ParserError` when an entity occurs. -2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns +3. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns the unexpanded entity verbatim. -3. :mod:`xmlrpclib` doesn't expand external entities and omits them. -4. Since Python 3.8.0, external general entities are no longer processed by - default since Python. +4. :mod:`xmlrpclib` doesn't expand external entities and omits them. +5. Since Python 3.6.7, external general entities are no longer processed by + default. billion laughs / exponential entity expansion diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index c14e790935..5f8f478eb3 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -2181,7 +2181,7 @@ Changes in the Python API * The functions in the :mod:`compileall` module now return booleans instead of ``1`` or ``0`` to represent success or failure, respectively. Thanks to - booleans being a subclass of integers, this should only be an issue if you7 + booleans being a subclass of integers, this should only be an issue if you were doing identity checks for ``1`` or ``0``. See :issue:`25768`. * Reading the :attr:`~urllib.parse.SplitResult.port` attribute of |