-
Notifications
You must be signed in to change notification settings - Fork 51
/
CHANGES.txt
172 lines (110 loc) · 4.02 KB
/
CHANGES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Changelog
=========
defusedxml 0.8.0
----------------
*Release date: 2023*
- Fix testing without lxml
- Test on 3.13-dev and PyPy 3.9
defusedxml 0.8.0rc2
-------------------
*Release date: 29-Sep-2023*
- Silence deprecation warning in `defuse_stdlib`.
- Update lxml safety information
defusedxml 0.8.0rc1
-------------------
*Release date: 26-Sep-2023*
- Drop support for Python 2.7, 3.4, and 3.5.
- Test on 3.10, 3.11, and 3.12.
- Add ``defusedxml.ElementTree.fromstringlist()``
- Update *vulnerabilities and features* table in README.
- **Pending removal** The ``defusedxml.lxml`` module has been unmaintained and
deprecated since 2019. The module will be removed in the next version.
- **Pending removal** The ``defusedxml.cElementTree`` will be removed in the
next version. Please use ``defusedxml.ElementTree`` instead.
defusedxml 0.7.1
----------------
*Release date: 08-Mar-2021*
- Fix regression ``defusedxml.ElementTree.ParseError`` (#63)
The ``ParseError`` exception is now the same class object as
``xml.etree.ElementTree.ParseError`` again.
defusedxml 0.7.0
----------------
*Release date: 4-Mar-2021*
- No changes
defusedxml 0.7.0rc2
-------------------
*Release date: 12-Jan-2021*
- Re-add and deprecate ``defusedxml.cElementTree``
- Use GitHub Actions instead of TravisCI
- Restore ``ElementTree`` attribute of ``xml.etree`` module after patching
defusedxml 0.7.0rc1
-------------------
*Release date: 04-May-2020*
- Add support for Python 3.9
- ``defusedxml.cElementTree`` is not available with Python 3.9.
- Python 2 is deprecate. Support for Python 2 will be removed in 0.8.0.
defusedxml 0.6.0
----------------
*Release date: 17-Apr-2019*
- Increase test coverage.
- Add badges to README.
defusedxml 0.6.0rc1
-------------------
*Release date: 14-Apr-2019*
- Test on Python 3.7 stable and 3.8-dev
- Drop support for Python 3.4
- No longer pass *html* argument to XMLParse. It has been deprecated and
ignored for a long time. The DefusedXMLParser still takes a html argument.
A deprecation warning is issued when the argument is False and a TypeError
when it's True.
- defusedxml now fails early when pyexpat stdlib module is not available or
broken.
- defusedxml.ElementTree.__all__ now lists ParseError as public attribute.
- The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo
and used XMLParse instead of XMLParser as an alias for DefusedXMLParser.
Both the old and fixed name are now available.
defusedxml 0.5.0
----------------
*Release date: 07-Feb-2017*
- No changes
defusedxml 0.5.0.rc1
--------------------
*Release date: 28-Jan-2017*
- Add compatibility with Python 3.6
- Drop support for Python 2.6, 3.1, 3.2, 3.3
- Fix lxml tests (XMLSyntaxError: Detected an entity reference loop)
defusedxml 0.4.1
----------------
*Release date: 28-Mar-2013*
- Add more demo exploits, e.g. python_external.py and Xalan XSLT demos.
- Improved documentation.
defusedxml 0.4
--------------
*Release date: 25-Feb-2013*
- As per http://seclists.org/oss-sec/2013/q1/340 please REJECT
CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664,
CVE-2013-1665 for OpenStack/etc.
- Add missing parser_list argument to sax.make_parser(). The argument is
ignored, though. (thanks to Florian Apolloner)
- Add demo exploit for external entity attack on Python's SAX parser, XML-RPC
and WebDAV.
defusedxml 0.3
--------------
*Release date: 19-Feb-2013*
- Improve documentation
defusedxml 0.2
--------------
*Release date: 15-Feb-2013*
- Rename ExternalEntitiesForbidden to ExternalReferenceForbidden
- Rename defusedxml.lxml.check_dtd() to check_docinfo()
- Unify argument names in callbacks
- Add arguments and formatted representation to exceptions
- Add forbid_external argument to all functions and classes
- More tests
- LOTS of documentation
- Add example code for other languages (Ruby, Perl, PHP) and parsers (Genshi)
- Add protection against XML and gzip attacks to xmlrpclib
defusedxml 0.1
--------------
*Release date: 08-Feb-2013*
- Initial and internal release for PSRT review