Skip to content

[3.14] gh-139313: Improve docs on XML security (GH-139460) #141065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 5, 2025
Merged

[3.14] gh-139313: Improve docs on XML security (GH-139460) #141065

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Doc/library/pyexpat.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -558,6 +558,15 @@

.. method:: xmlparser.ExternalEntityRefHandler(context, base, systemId, publicId)

.. warning::

Implementing a handler that accesses local files and/or the network

Check warning on line 563 in Doc/library/pyexpat.rst

View workflow job for this annotation

GitHub Actions / Docs / Docs 

py:class reference target not found: xmlparser [ref.class]
may create a vulnerability to
`external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_
if :class:`xmlparser` is used with user-provided XML content.
Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_
before implementing this handler.

Called for references to external entities. *base* is the current base, as set
by a previous call to :meth:`SetBase`. The public and system identifiers,
*systemId* and *publicId*, are strings if given; if the public identifier is not
Expand Down
22 changes: 17 additions & 5 deletions Doc/library/xml.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,22 @@ XML security

An attacker can abuse XML features to carry out denial of service attacks,
access local files, generate network connections to other machines, or
circumvent firewalls.

Expat versions lower than 2.6.0 may be vulnerable to "billion laughs",
"quadratic blowup" and "large tokens". Python may be vulnerable if it uses such
older versions of Expat as a system-provided library.
circumvent firewalls when attacker-controlled XML is being parsed,
in Python or elsewhere.

The built-in XML parsers of Python rely on the library `libexpat`_, commonly
called Expat, for parsing XML.

By default, Expat itself does not access local files or create network
connections.

Expat versions lower than 2.7.2 may be vulnerable to the "billion laughs",
"quadratic blowup" and "large tokens" vulnerabilities, or to disproportional
use of dynamic memory.
Python bundles a copy of Expat, and whether Python uses the bundled or a
system-wide Expat, depends on how the Python interpreter
:option:`has been configured <--with-system-expat>` in your environment.
Python may be vulnerable if it uses such older versions of Expat.
Check :const:`!pyexpat.EXPAT_VERSION`.

:mod:`xmlrpc` is **vulnerable** to the "decompression bomb" attack.
Expand Down Expand Up @@ -90,5 +101,6 @@ large tokens
be used to cause denial of service in the application parsing XML.
The issue is known as :cve:`2023-52425`.

.. _libexpat: https://github.com/libexpat/libexpat
.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
Loading