Title: Ambiguous sentence in document of xml package.
Type: Stage: resolved
Components: Documentation Versions: Python 3.3, Python 3.4
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Fran.Bull, akuchling, christian.heimes, docs@python, methane, python-dev, r.david.murray, terry.reedy
Priority: normal Keywords: patch

Created on 2014-01-13 10:13 by methane, last changed 2014-02-15 20:35 by akuchling. This issue is now closed.

File name Uploaded Description Edit
20237.patch Fran.Bull, 2014-01-14 18:03 review
Messages (8)
msg208015 - (view) Author: Inada Naoki (methane) * (Python committer) Date: 2014-01-13 10:13

"The courses of action are recommended for any server code that parses untrusted XML data."

What this sentence means?
What "The courses" is?
msg208036 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-13 18:46
It means that the package suggests what courses of action to take when parsing untrusted data.  I don't know how it goes about doing that, though, so we'll have to ask Christian to clarify.
msg208037 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-13 18:47
s/courses of action/kinds of actions/ in my explanation, otherwise it might be just as confusing :)
msg208104 - (view) Author: Fran Bull (Fran.Bull) Date: 2014-01-14 18:03
I think the sentence either means:
1) The courses of action that defusedxml implements are those recommended for any server code that parses untrusted XML data. 
2) Using defused XML is recommended for any server code that parses untrusted XML data. 

And I think 2 is more likely. So the attached patch reflects that.
msg208106 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-14 18:29
Actually, I think it means that the defusedxml documentation tells you what to do to protect yourself from various attack vectors, which pretty much amounts to importing certain functions from defusedxml and using them instead of the stdlib versions.  Your patch may be sufficient, but let's see what Christian has to say.
msg208373 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2014-01-17 23:56
I took the sentence to mean 1) more that 2). I agree that it should be revised.
msg211290 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-02-15 20:33
New changeset 1c93895c32d8 by Andrew Kuchling in branch '3.3':
#20237: make a revision pass over the XML vulnerabilities section
msg211292 - (view) Author: A.M. Kuchling (akuchling) * (Python committer) Date: 2014-02-15 20:35
I applied Fran Bull's change; thanks for the patch!

The vulnerabilities section had several grammar issues, so I made an editing pass over it and made various other changes in my commit.
Date User Action Args
2014-02-15 20:35:42akuchlingsetstatus: open -> closed

nosy: + akuchling
messages: + msg211292

stage: resolved
2014-02-15 20:33:58python-devsetnosy: + python-dev
messages: + msg211290
2014-01-17 23:56:41terry.reedysetnosy: + terry.reedy

messages: + msg208373
versions: - Python 3.2
2014-01-14 18:29:15r.david.murraysetmessages: + msg208106
2014-01-14 18:03:49Fran.Bullsetfiles: + 20237.patch

nosy: + Fran.Bull
messages: + msg208104

keywords: + patch
2014-01-13 18:47:29r.david.murraysetmessages: + msg208037
2014-01-13 18:46:47r.david.murraysetassignee: docs@python ->

messages: + msg208036
nosy: + r.david.murray, christian.heimes
2014-01-13 10:13:46methanecreate