Skip to content

bpo-38585: Remove references to defusedexpat #22095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
miss-islington merged 1 commit into from
Sep 4, 2020
Merged

bpo-38585: Remove references to defusedexpat #22095

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
bpo-38585: Remove references to defusedexpat 
defusedexpat is not maintained.
  • Loading branch information
@ZackerySpytz
ZackerySpytz committed Sep 4, 2020
commit 5deb58cbe629cef9d33f09b5c1a297ce8c8cc136
14 changes: 3 additions & 11 deletions Doc/library/xml.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Python's interfaces for processing XML are grouped in the ``xml`` package.
The XML modules are not secure against erroneous or maliciously
constructed data. If you need to parse untrusted or
unauthenticated data see the :ref:`xml-vulnerabilities` and
:ref:`defused-packages` sections.
:ref:`defusedxml-package` sections.

It is important to note that modules in the :mod:`xml` package require that
there be at least one SAX-compliant XML parser available. The Expat parser is
Expand Down Expand Up @@ -113,9 +113,9 @@ decompression bomb
The documentation for `defusedxml`_ on PyPI has further information about
all known attack vectors with examples and references.

.. _defused-packages:
.. _defusedxml-package:

The :mod:`defusedxml` and :mod:`defusedexpat` Packages
The :mod:`defusedxml` Package
------------------------------------------------------

`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
Expand All @@ -124,16 +124,8 @@ package is recommended for any server code that parses untrusted XML data. The
package also ships with example exploits and extended documentation on more
XML exploits such as XPath injection.

`defusedexpat`_ provides a modified libexpat and a patched
:mod:`pyexpat` module that have countermeasures against entity expansion
DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity
expansions. The modifications may be included in some future release of Python,
but will not be included in any bugfix releases of
Python because they break backward compatibility.


.. _defusedxml: https://pypi.org/project/defusedxml/
.. _defusedexpat: https://pypi.org/project/defusedexpat/
.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
.. _DTD: https://en.wikipedia.org/wiki/Document_type_definition