Message 325648 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Arfrever, barry, benjamin.peterson, christian.heimes, djc, eli.bendersky, ezio.melotti, franck, georg.brandl, jwilk, larry, martin.panter, mcepl, ned.deily, pitrou, rhettinger, rsandwick3, scoder, serhiy.storchaka, steve.dower, vstinner
Date	2018-09-18.14:14:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1537280069.36.0.956365154283.issue17239@psf.upfronthosting.co.za>
In-reply-to

Content
> * only Windows and macOS will get the fix Modules/expat can be used on all platforms. A downstream patch is only a problem for platforms that compile Python with "./configure --with-system-expat". The security fixes for entity expansion blowup and external entity loading are backwards incompatible fixes. Technically they also violate XML standards. In practice the vast majority of users will never run into the issue, because external entities are scarcely used. The expat parser is a non-validating XML parser, so DTDs aren't useful at all. I'd rather break a handful of users than to keep the majority of users vulnerable. To fix billion laughs and quadratic blowup once and for all, we also have to break backwards compatibility and require expat >= 2.3.0. For now the modules still work with old versions of expat. IMO it's fine. Vendors either have to update their libraries or use our copy of expat. Ultimately it's Benjamin's, Larry's, and Ned's decision. They are release managers.

> * only Windows and macOS will get the fix

Modules/expat can be used on all platforms. A downstream patch is only a problem for platforms that compile Python with "./configure --with-system-expat".

The security fixes for entity expansion blowup and external entity loading are backwards incompatible fixes. Technically they also violate XML standards. In practice the vast majority of users will never run into the issue, because external entities are scarcely used. The expat parser is a non-validating XML parser, so DTDs aren't useful at all. I'd rather break a handful of users than to keep the majority of users vulnerable.

To fix billion laughs and quadratic blowup once and for all, we also have to break backwards compatibility and require expat >= 2.3.0. For now the modules still work with old versions of expat. IMO it's fine. Vendors either have to update their libraries or use our copy of expat.

Ultimately it's Benjamin's, Larry's, and Ned's decision. They are release managers.

History
Date	User	Action	Args
2018-09-18 14:14:29	christian.heimes	set	recipients: + christian.heimes, barry, georg.brandl, rhettinger, pitrou, scoder, vstinner, larry, benjamin.peterson, jwilk, ned.deily, djc, mcepl, ezio.melotti, Arfrever, eli.bendersky, martin.panter, serhiy.storchaka, franck, steve.dower, rsandwick3
2018-09-18 14:14:29	christian.heimes	set	messageid: <1537280069.36.0.956365154283.issue17239@psf.upfronthosting.co.za>
2018-09-18 14:14:29	christian.heimes	link	issue17239 messages
2018-09-18 14:14:29	christian.heimes	create