-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameter type error for xml.sax.parseString(string, ...) #54799
Comments
In 3.1.3, 3.1.2, maybe earlier... xml.sax.parseString(string, handler, error_handler=handler.ErrorHandler()) Source code requires bytes, not a string as implied by function name and by the documentation. Exception thrown for strings. Since the name includes "string" the source should probably be fixed. Someday replace/augment parseString() with parseBytes()? |
Indeed, xml.dom.minidom.parseString() and xml.etree.ElementTree.fromstring() accepts both bytes and strings, xml.dom.minidom.parse(), xml.etree.ElementTree.parse() and even xml.sax.parse() accepts both byte and text streams. Only xml.sax.parseString() rejects strings in contrast to its name. This looks as 2 to 3 porting bug. |
I'm not very knowledgeable in other XML modules, but I hate to see this patch linger. Also it's a pre-requisite for bpo-16986, it seems. Serhiy, since the patch is large could you give a short summary of the things it fixes? Note that the best approach IMHO is to submit and push minimal patches that fix specific issues and not lump several fixes together, unless it doesn't make sense to separate them. |
Please hold of any modifications of XML code until we have decided how we are going to fix the XML exploits. Also I think this is a new feature and not a fix. parseString() is documented as 'parses from a buffer string'. It doesn't say that it can parse text. |
Low-level part already extracted to bpo-17089 and committed. bpo-16986 has a similar patch for cElementTree. The main part of path was moved to bpo-2175 which is now pre-requisite for bpo-16986 and for this issue. It contains additional tests and additional fixes. It is hard and little sense to split them on separated patches. Let's move the discussion to bpo-2175. And then the patch for this issue will be small and simple, only several lines and one test. At least this issue is less important and actually can be considered as a new feature. |
Serhiy, OK - I'll look at bpo-2175 first. But yes, Christian is right, let's wait for the security issues to be resolved first. |
There was no significant motion in the direction of fixing XML security issues. May be resolve bpo-2175 first? |
New changeset 3ac1b21fbb42 by Serhiy Storchaka in branch '2.7': New changeset ca8666310eb3 by Serhiy Storchaka in branch '3.4': New changeset 846c165cf643 by Serhiy Storchaka in branch 'default': |
After resolving bpo-2175 and committing tests that works with current code, only minimum of changes are left. Here is a patch that adds support of string argument in xml.sax.parseString(). |
New changeset fca669149d8a by Serhiy Storchaka in branch 'default': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: