blob: f50624e9785fbcc3167565f90b1e1dece56105a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
Changelog
=========
defusedxml 0.6.0.dev1
---------------------
*Release date: ??-???-2019*
- Test on Python 3.7 stable and 3.8-dev
- Drop support for Python 3.4
- No longer pass *html* argument to XMLParse. It has been deprecated and
ignored for a long time. The DefusedXMLParser still takes a html argument.
A deprecation warning is issued when the argument is False and a TypeError
when it's True.
- defusedxml now fails early when pyexpat stdlib module is not available or
broken.
- defusedxml.ElementTree.__all__ now lists ParseError as public attribute.
- The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo
and used XMLParse instead of XMLParser as an alias for DefusedXMLParser.
Both the old and fixed name are now available.
defusedxml 0.5.0
----------------
*Release date: 07-Feb-2017*
- No changes
defusedxml 0.5.0.rc1
--------------------
*Release date: 28-Jan-2017*
- Add compatibility with Python 3.6
- Drop support for Python 2.6, 3.1, 3.2, 3.3
- Fix lxml tests (XMLSyntaxError: Detected an entity reference loop)
defusedxml 0.4.1
----------------
*Release date: 28-Mar-2013*
- Add more demo exploits, e.g. python_external.py and Xalan XSLT demos.
- Improved documentation.
defusedxml 0.4
--------------
*Release date: 25-Feb-2013*
- As per http://seclists.org/oss-sec/2013/q1/340 please REJECT
CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664,
CVE-2013-1665 for OpenStack/etc.
- Add missing parser_list argument to sax.make_parser(). The argument is
ignored, though. (thanks to Florian Apolloner)
- Add demo exploit for external entity attack on Python's SAX parser, XML-RPC
and WebDAV.
defusedxml 0.3
--------------
*Release date: 19-Feb-2013*
- Improve documentation
defusedxml 0.2
--------------
*Release date: 15-Feb-2013*
- Rename ExternalEntitiesForbidden to ExternalReferenceForbidden
- Rename defusedxml.lxml.check_dtd() to check_docinfo()
- Unify argument names in callbacks
- Add arguments and formatted representation to exceptions
- Add forbid_external argument to all functions and classes
- More tests
- LOTS of documentation
- Add example code for other languages (Ruby, Perl, PHP) and parsers (Genshi)
- Add protection against XML and gzip attacks to xmlrpclib
defusedxml 0.1
--------------
*Release date: 08-Feb-2013*
- Initial and internal release for PSRT review
|
