deprecate defusedxml.lxml

Signed-off-by: Christian Heimes <christian@python.org>
tiran · Apr 14, 2019 · d1260ab · d1260ab
1 parent 94d3be2
commit d1260ab
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -20,6 +20,7 @@ defusedxml 0.6.0.dev1
   Both the old and fixed name are now available.
 
 
+
 defusedxml 0.5.0
 ----------------
 

diff --git a/README.txt b/README.txt
@@ -347,6 +347,9 @@ modify the default by changing the module variable `MAX_DATA`. A value of
 defusedxml.lxml
 ---------------
 
+**DEPRECATED** The module is deprecated and will be removed in a future
+release.
+
 The module acts as an *example* how you could protect code that uses
 lxml.etree. It implements a custom Element class that filters out
 Entity instances, a custom parser factory and a thread local storage for

diff --git a/defusedxml/lxml.py b/defusedxml/lxml.py
@@ -3,7 +3,7 @@
 # Copyright (c) 2013 by Christian Heimes <christian@python.org>
 # Licensed to PSF under a Contributor Agreement.
 # See https://www.python.org/psf/license for licensing details.
-"""Example code for lxml.etree protection
+"""DEPRECATED Example code for lxml.etree protection
 
 The code has NO protection against decompression bombs.
 """
@@ -26,7 +26,8 @@
 warnings.warn(
     "defusedxml.lxml is no longer supported and will be removed in a "
     "future release.",
-    category=DeprecationWarning
+    category=DeprecationWarning,
+    stacklevel=2
 )
 
 

diff --git a/tests.py b/tests.py
@@ -22,14 +22,24 @@
 except ImportError:
     gzip = None
 
+
+if sys.version_info < (3, 7):
+    warnings.filterwarnings(
+        'once',
+        category=DeprecationWarning
+    )
+
+
 try:
-    from defusedxml import lxml
+    with warnings.catch_warnings(record=True) as lxml_warnings:
+        from defusedxml import lxml
     from lxml.etree import XMLSyntaxError
     LXML3 = lxml.LXML3
 except ImportError:
     lxml = None
     XMLSyntaxError = None
     LXML3 = False
+    lxml_warnings = None
 
 
 warnings.filterwarnings(
@@ -38,6 +48,7 @@
     module=r"defusedxml\..*"
 )
 
+
 HERE = os.path.dirname(os.path.abspath(__file__))
 
 # prevent web access
@@ -390,6 +401,11 @@ def test_xpath_injection(self):
         self.assertEqual(len(elements), 1)
         self.assertEqual(elements, list(root)[:1])
 
+    def test_lxml_warnings(self):
+        self.assertTrue(lxml_warnings)
+        self.assertEqual(lxml_warnings[0].category, DeprecationWarning)
+        self.assertIn('tests.py', lxml_warnings[0].filename)
+
 
 class XmlRpcTarget(object):