bpo-17239: Disable external entities in SAX parser#9217

tiran

The SAX parser no longer processes general external entities by default
to increase security. Before, the parser created network connections
to fetch remote files or loaded local files from the file system for DTD
and entities.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue17239

csabella

Since default functionality is changing, should this be included in the What's New in 3.8 page?

vstinner

LGTM. Since there is a way to enable it in Python 3.7 and older, it's fine to change the default.

Should we change the default in Python 3.7 and older? I'm not sure about that.

zooba

Agreed with both Cheryl and Victor's suggestions.

tiran

@csabella @vstinner @zooba I have updated the PR.

zooba

LGTM

vstinner

LGTM, but maybe remove version numbers until they are really fixed?

The xml.sax and xml.dom.minidom parsers no longer processes external entities to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org>

miss-islington

@tiran: Status check is done, and it's a success ✅ .

miss-islington

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington

Sorry, @tiran, I could not cleanly backport this to 3.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 3.7

miss-islington

Sorry, @tiran, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 3.6

miss-islington

Sorry, @tiran, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45 2.7

bedevere-bot

GH-9511 is a backport of this pull request to the 3.7 branch.

The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <christian@python.org>

bedevere-bot

GH-9512 is a backport of this pull request to the 3.6 branch.

…H-9512) The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239

…H-9511) The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239. (cherry picked from commit 17b1d5d) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue17239

tiran added needs backport to 3.6 type-security A security issue labels Sep 12, 2018

tiran requested a review from zooba September 12, 2018 16:26

the-knights-who-say-ni added the CLA signed label Sep 12, 2018

bedevere-bot added the awaiting merge label Sep 12, 2018

tiran force-pushed the bpo17239-sax-ges branch from 686acbb to 3314077 Compare September 12, 2018 16:32

vstinner approved these changes Sep 13, 2018

View reviewed changes

zooba approved these changes Sep 17, 2018

View reviewed changes

tiran force-pushed the bpo17239-sax-ges branch 2 times, most recently from 15bf855 to dd8ee7e Compare September 17, 2018 21:34

vstinner approved these changes Sep 17, 2018

View reviewed changes

tiran force-pushed the bpo17239-sax-ges branch 3 times, most recently from d8125c2 to 55db8ce Compare September 22, 2018 05:57

tiran force-pushed the bpo17239-sax-ges branch from 55db8ce to 0c8828c Compare September 23, 2018 07:21

tiran added the 🤖 automerge label Sep 23, 2018

miss-islington merged commit 17b1d5d into python:master Sep 23, 2018

bedevere-bot removed the awaiting merge label Sep 23, 2018

miss-islington self-assigned this Sep 23, 2018

bedevere-bot removed the needs backport to 3.7 label Sep 23, 2018

bedevere-bot removed the needs backport to 3.6 label Sep 23, 2018

gpshead mentioned this pull request Apr 10, 2022

XML vulnerabilities in Python #61441

Open

Conversation

tiran commented Sep 12, 2018 • edited by bedevere-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

csabella commented Sep 12, 2018

Uh oh!

vstinner left a comment

Choose a reason for hiding this comment

Uh oh!

zooba left a comment

Choose a reason for hiding this comment

Uh oh!

tiran commented Sep 17, 2018

Uh oh!

zooba commented Sep 17, 2018

Uh oh!

vstinner left a comment

Choose a reason for hiding this comment

Uh oh!

miss-islington commented Sep 23, 2018

Uh oh!

miss-islington commented Sep 23, 2018

Uh oh!

miss-islington commented Sep 23, 2018

Uh oh!

miss-islington commented Sep 23, 2018

Uh oh!

miss-islington commented Sep 23, 2018

Uh oh!

bedevere-bot commented Sep 23, 2018

Uh oh!

bedevere-bot commented Sep 23, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

tiran commented Sep 12, 2018 •

edited by bedevere-bot

Loading