mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

gh-141994: Warn of XXE vulnerability in documentation of SAX feature xml.sax.handler.feature_external_ges (GH-141996)

Browse source 
Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges

Related to commit baa9f33897
This commit is contained in:
Sebastian Pipping 2025-11-29 08:08:17 +01:00 committed by GitHub
parent 5e749d3743
commit 440bcb9456
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Doc/library/xml.sax.handler.rst
View file

@ -96,6 +96,14 @@ for the feature and property names.
.. data:: feature_external_ges
.. warning::
Enabling opens a vulnerability to
`external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_
if the parser is used with user-provided XML content.
Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_
before enabling this feature.
| value: ``"http://xml.org/sax/features/external-general-entities"``
| true: Include all external general (text) entities.
| false: Do not include external general entities.

4
Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst Normal file
View file

@ -0,0 +1,4 @@
:mod:`xml.sax.handler`: Make Documentation of
:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external
entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_.
Patch by Sebastian Pipping.