New submission from Adam Williamson:

The changes made to xml.etree.ElementTree in this commit:

https://github.com/python/cpython/commit/12a626fae80a57752ccd91ad25b5a283e18154ec

break defusedxml , Christian Heimes' library of modified parsers that's 
intended to be safe for parsing untrusted input. As of now, it's not possible 
to have defusedxml working properly with Python 3.6; its ElementTree parsers 
cannot work properly.

Of course, defusedxml is an external library that does 'inappropriate' things 
(like fiddling around with internals of the xml library). So usually this 
should be considered just a problem for defusedxml to deal with somehow, and 
indeed I've reported it there: https://github.com/tiran/defusedxml/issues/3 . 
That report has more details on the precise problem.

I thought it was worthwhile reporting to Python itself as well, however, for a 
specific reason. The Python docs for the xml library explicitly cover and 
endorse the use of defusedxml:

"defusedxml is a pure Python package with modified subclasses of all stdlib XML 
parsers that prevent any potentially malicious operation. Use of this package 
is recommended for any server code that parses untrusted XML data." - 
https://docs.python.org/3.6/library/xml.html#the-defusedxml-and-defusedexpat-packages

so as things stand, the Python 3.6 docs will explicitly recommend people use a 
module which does not work with Python 3.6. Is this considered a serious 
problem?

It also looks to me (though I'm hardly an expert) as if it might be quite 
difficult and ugly to fix this on the defusedxml side, and the 'nicest' fix 
might actually be to tweak Python's xml module back a bit more to how it was in 
< 3.6 (but without losing the optimization from the commit in question) so it's 
easier for defusedxml to get at the internals it needs...but I could well be 
wrong about that.

Thanks!

----------
components: XML
messages: 283854
nosy: adamwill
priority: normal
severity: normal
status: open
title: xml.etree.ElementTree in Python 3.6 is incompatible with defusedxml
type: behavior
versions: Python 3.6

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29050>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to