New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use defusedxml to parse potentially untrusted XML #708

merged 1 commit into from Nov 29, 2017


None yet
3 participants
Copy link

takluyver commented Nov 17, 2017

Untrusted XML data can cause havoc with unprepared parsers. I'm not sure whether our default templates are vulnerable to this, but it makes sense for the filters to be defensive in handling it.

Closes gh-706


This comment has been minimized.

Copy link

Danorcohen commented Nov 29, 2017

Looks good :)

Do you have an estimated release date for 5.4 ?


This comment has been minimized.

Copy link
Member Author

takluyver commented Nov 29, 2017

Thanks. We're working towards a new release, but it may be a few weeks.

@takluyver takluyver merged commit 3e203ce into jupyter:master Nov 29, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed

@takluyver takluyver deleted the takluyver:defusedxml branch Nov 29, 2017


This comment has been minimized.

Copy link

westurner commented Feb 10, 2019

Gitflow and Hubflow have 'hotfix' branches off of the release branch for exactly this problem.

You can branch off the release branch, cherry pick the security patch, bump the version, merge back to the release branch, and cut a release without having to release all of the pending new features on the develop branch.

From :

GitFlow Hotfix Branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment