mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-24 03:35:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-38585: Remove references to defusedexpat (GH-22095)

Browse source 
defusedexpat is not maintained.
This commit is contained in:
Zackery Spytz 2020-09-04 14:57:48 -06:00 committed by GitHub
parent 84a7917b4c
commit 51b84f8e96
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Doc/library/xml.rst
View file

@ -20,7 +20,7 @@ Python's interfaces for processing XML are grouped in the ``xml`` package.
The XML modules are not secure against erroneous or maliciously The XML modules are not secure against erroneous or maliciously
constructed data. If you need to parse untrusted or constructed data. If you need to parse untrusted or
unauthenticated data see the :ref:`xml-vulnerabilities` and unauthenticated data see the :ref:`xml-vulnerabilities` and
:ref:`defused-packages` sections. :ref:`defusedxml-package` sections.
It is important to note that modules in the :mod:`xml` package require that It is important to note that modules in the :mod:`xml` package require that
there be at least one SAX-compliant XML parser available. The Expat parser is there be at least one SAX-compliant XML parser available. The Expat parser is
@ -113,9 +113,9 @@ decompression bomb
The documentation for `defusedxml`_ on PyPI has further information about The documentation for `defusedxml`_ on PyPI has further information about
all known attack vectors with examples and references. all known attack vectors with examples and references.
.. _defused-packages: .. _defusedxml-package:
The :mod:`defusedxml` and :mod:`defusedexpat` Packages The :mod:`defusedxml` Package
------------------------------------------------------ ------------------------------------------------------
`defusedxml`_ is a pure Python package with modified subclasses of all stdlib `defusedxml`_ is a pure Python package with modified subclasses of all stdlib
@ -124,16 +124,8 @@ package is recommended for any server code that parses untrusted XML data. The
package also ships with example exploits and extended documentation on more package also ships with example exploits and extended documentation on more
XML exploits such as XPath injection. XML exploits such as XPath injection.
`defusedexpat`_ provides a modified libexpat and a patched
:mod:`pyexpat` module that have countermeasures against entity expansion
DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity
expansions. The modifications may be included in some future release of Python,
but will not be included in any bugfix releases of
Python because they break backward compatibility.
.. _defusedxml: https://pypi.org/project/defusedxml/ .. _defusedxml: https://pypi.org/project/defusedxml/
.. _defusedexpat: https://pypi.org/project/defusedexpat/
.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs .. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
.. _DTD: https://en.wikipedia.org/wiki/Document_type_definition .. _DTD: https://en.wikipedia.org/wiki/Document_type_definition