Skip to content

gh-127502: Update XML vulnerability table #135294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

gh-127502: Update XML vulnerability table #135294

wants to merge 2 commits into from
+3 −25

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Jun 9, 2025
edited by github-actions bot
Loading

Python 3.11-3.15 include expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.

📚 Documentation preview 📚: https://cpython-previews--135294.org.readthedocs.build/

@vstinner
pythongh-127502: Update XML vulnerability table
2fb6d1f 
Python 3.11-3.15 include expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.
@vstinner vstinner added skip news needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jun 9, 2025
@bedevere-app bedevere-app bot added awaiting core review docs Documentation in the Doc dir labels Jun 9, 2025
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Jun 9, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jun 9, 2025
Open
@encukou
Copy link
Member

encukou commented Jun 9, 2025

Do you think the table should be kept, now that it says Safe almost everywhere?

@vstinner
Copy link
Member Author

vstinner commented Jun 9, 2025

Do you think the table should be kept, now that it says Safe almost everywhere?

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

The question is more if we need to keep the big red warning at the top:

The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the XML vulnerabilities and The defusedxml Package sections.

Maybe this warning can just be removed.

Since Python XML modules are now safe by default, we can maybe remove references to the defusedxml project which is no longer needed.

Note: The latest defused version (0.7.0) was released in 2021. There is a 0.8.0rc2 version around since September 2023 with no final release. The project seems to be unmaintained (latest commit: 2 years ago).

@vstinner
Copy link
Member Author

vstinner commented Jun 9, 2025

I updated my PR to remove the red warning and remove references to defusedxml.

@hannob
Copy link

hannob commented Jun 9, 2025

There are similar warnings in several other files, e.g.:

Doc/library/xml.etree.elementtree.rst
Doc/library/xml.dom.pulldom.rst
Doc/library/xml.dom.minidom.rst
Doc/library/xml.sax.rst

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
awaiting core review docs Documentation in the Doc dir needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes skip news
Projects
Docs PRs
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vstinner @encukou @hannob