From 3411e8be691e271c5e212638888e5b5a71183d70 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Sat, 29 Nov 2025 08:08:17 +0100 Subject: [PATCH] gh-141994: Warn of XXE vulnerability in documentation of SAX feature `xml.sax.handler.feature_external_ges` (GH-141996) Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges Related to commit baa9f338971c6a13433a8232db77cd45e6b87b77 (cherry picked from commit 440bcb94560937888cd9bcb28a138acc2c6a6cbc) Co-authored-by: Sebastian Pipping --- Doc/library/xml.sax.handler.rst | 8 ++++++++ .../2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst | 4 ++++ 2 files changed, 12 insertions(+) create mode 100644 Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst diff --git a/Doc/library/xml.sax.handler.rst b/Doc/library/xml.sax.handler.rst index 38ca4507d81e76..f1af7253e437b4 100644 --- a/Doc/library/xml.sax.handler.rst +++ b/Doc/library/xml.sax.handler.rst @@ -96,6 +96,14 @@ for the feature and property names. .. data:: feature_external_ges + .. warning:: + + Enabling opens a vulnerability to + `external entity attacks `_ + if the parser is used with user-provided XML content. + Please reflect on your `threat model `_ + before enabling this feature. + | value: ``"http://xml.org/sax/features/external-general-entities"`` | true: Include all external general (text) entities. | false: Do not include external general entities. diff --git a/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst new file mode 100644 index 00000000000000..c370e8a86e1766 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst @@ -0,0 +1,4 @@ +:mod:`xml.sax.handler`: Make Documentation of +:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external +entity attacks `_. +Patch by Sebastian Pipping.