[issue17538] Document XML Vulnerabilties

2013-12-21 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker ___ _

[issue17538] Document XML Vulnerabilties

2013-04-06 Thread Éric Araujo
Éric Araujo added the comment: Christian: there are people strongly disagreeing with the description of minidom as “lightweight”, could you edit the libary/xml.rst file you added to say “minimal” instead? See c2ae1ed03853 and #11379 if you want more info. -- _

[issue17538] Document XML Vulnerabilties

2013-04-06 Thread Roundup Robot
Roundup Robot added the comment: New changeset f45902f8c7d7 by Christian Heimes in branch '3.2': Issue 17538: Document XML vulnerabilties http://hg.python.org/cpython/rev/f45902f8c7d7 -- ___ Python tracker

[issue17538] Document XML Vulnerabilties

2013-03-30 Thread Roundup Robot
Roundup Robot added the comment: New changeset 91bb6d7ae833 by Christian Heimes in branch '2.7': Issue 17538: Document XML vulnerabilties http://hg.python.org/cpython/rev/91bb6d7ae833 -- ___ Python tracker

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Roundup Robot
Roundup Robot added the comment: New changeset e7795a178b0a by Christian Heimes in branch '3.2': Issue 17538: Document XML vulnerabilties http://hg.python.org/cpython/rev/e7795a178b0a New changeset 65e8ac5f073f by Christian Heimes in branch '3.3': Issue 17538: Document XML vulnerabilties http://

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Georg Brandl
Georg Brandl added the comment: I still see "erroneous" in there... otherwise looks good to me. -- ___ Python tracker ___ ___ Python-b

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Christian Heimes
Christian Heimes added the comment: Here we go again! -- stage: -> patch review Added file: http://bugs.python.org/file29581/xmldocs3.diff ___ Python tracker ___ ___

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Georg Brandl
Georg Brandl added the comment: 2. That would be good. For this table the "simple" rst tables should be fine: = = head head = = body body body body = = 3. Once per XML logical handling module/package seems quite enough. 4. The warnings only link to the section

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Donald Stufft
Donald Stufft added the comment: FWIW I put the warning on all the sax pages just because there's no way to know which page a user will go to if they are coming in via google. -- ___ Python tracker ___

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Christian Heimes
Christian Heimes added the comment: 1. sounds fine to me 2. I can copy some text from the README.txt of defusedxml. CSV table was easier to maintain for me. What's a good tool to create and modify sphinx tables? 3. No strong opinion here, better safe than sorry? 4. IMO the warning should ment

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Georg Brandl
Georg Brandl added the comment: * I would take out the "erroneous" of "erroneous or maliciously constructed" in the disclaimers. The odds of creating one of the "bombings" by chance are slim. * The names of attacks in the table are quite opaque if you haven't heard of them. They should be li

[issue17538] Document XML Vulnerabilties

2013-03-26 Thread Christian Heimes
Christian Heimes added the comment: Benjaman and Georg, what do the RMs feel about the doc patch? -- nosy: +benjamin.peterson, georg.brandl ___ Python tracker ___ ___

[issue17538] Document XML Vulnerabilties

2013-03-25 Thread Éric Araujo
Éric Araujo added the comment: LGTM. -- nosy: +eric.araujo versions: +Python 3.2 ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue17538] Document XML Vulnerabilties

2013-03-25 Thread Donald Stufft
Donald Stufft added the comment: Update looks fine to me, I'm not the best at docs I just wanted to get at least a jumping off point. -- ___ Python tracker ___ _

[issue17538] Document XML Vulnerabilties

2013-03-25 Thread Christian Heimes
Christian Heimes added the comment: Updated patch with more infos and also a link to defusedexpat. -- Added file: http://bugs.python.org/file29572/xmldocs2.diff ___ Python tracker __

[issue17538] Document XML Vulnerabilties

2013-03-25 Thread Christian Heimes
Christian Heimes added the comment: Donald: Thanks! I'm going to look at your patch later today. Hynek: Because the preferred way is another: use patched expat and pyexpat C modules of defusedexpat. It's a fix on C level and still allows a sane amount of entity expansions. defusedxml disallows

[issue17538] Document XML Vulnerabilties

2013-03-25 Thread Hynek Schlawack
Hynek Schlawack added the comment: I feel like there should be a warning in Doc/library/xml.rst too. Is there any actual reason why we don’t ship defusedxml with Python and add an easy way to monkeypatch so there’s as little passive barriers as possible to use XML “safely”? I’m sorry I didn’t

[issue17538] Document XML Vulnerabilties

2013-03-24 Thread Donald Stufft
New submission from Donald Stufft: Here's a documentation patch (Made against the 2.7 branch) that adds warning to the various xml modules to warn about the insecurity and points towards defusedxml/defusedexpat. -- components: Library (Lib), XML files: xmldocs.diff keywords: patch mess