This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gvanrossum
Recipients gvanrossum, vstinner
Date 2021-06-11.15:46:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1623426385.14.0.406624000681.issue44394@roundup.psfhosted.org>
In-reply-to
Content
(From PSRT list, Sebastian:)

 Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control.  These are:

- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold

Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:

  /* Added in 2.0. */
  38 XML_ERROR_RESERVED_PREFIX_XML
  39 XML_ERROR_RESERVED_PREFIX_XMLNS
  40 XML_ERROR_RESERVED_NAMESPACE_URI

  /* Added in 2.2.1. */
  41 XML_ERROR_INVALID_ARGUMENT

  /* Added in 2.3.0. */
  42 XML_ERROR_NO_BUFFER

  /* Added in 2.4.0. */
  43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH

With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by
>=2.4.0.  Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one.
History
Date User Action Args
2021-06-11 15:46:25gvanrossumsetrecipients: + gvanrossum, vstinner
2021-06-11 15:46:25gvanrossumsetmessageid: <1623426385.14.0.406624000681.issue44394@roundup.psfhosted.org>
2021-06-11 15:46:25gvanrossumlinkissue44394 messages
2021-06-11 15:46:25gvanrossumcreate