Message395642
(From PSRT list, Sebastian:)
Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control. These are:
- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold
Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:
/* Added in 2.0. */
38 XML_ERROR_RESERVED_PREFIX_XML
39 XML_ERROR_RESERVED_PREFIX_XMLNS
40 XML_ERROR_RESERVED_NAMESPACE_URI
/* Added in 2.2.1. */
41 XML_ERROR_INVALID_ARGUMENT
/* Added in 2.3.0. */
42 XML_ERROR_NO_BUFFER
/* Added in 2.4.0. */
43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH
With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by
>=2.4.0. Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one. |
|
Date |
User |
Action |
Args |
2021-06-11 15:46:25 | gvanrossum | set | recipients:
+ gvanrossum, vstinner |
2021-06-11 15:46:25 | gvanrossum | set | messageid: <1623426385.14.0.406624000681.issue44394@roundup.psfhosted.org> |
2021-06-11 15:46:25 | gvanrossum | link | issue44394 messages |
2021-06-11 15:46:25 | gvanrossum | create | |
|