Skip to content

gh-139313: Improve docs on XML security#139460

Merged
serhiy-storchaka merged 13 commits into
python:mainfrom
hartwork:issue-139313-improve-xml-security-docs
Nov 5, 2025
Merged

gh-139313: Improve docs on XML security#139460
serhiy-storchaka merged 13 commits into
python:mainfrom
hartwork:issue-139313-improve-xml-security-docs

Conversation

@hartwork

@hartwork hartwork commented Sep 30, 2025

Copy link
Copy Markdown
Contributor

Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only version 2.7.2 has all the fixes
- use of the bundle depends on configuration
@hartwork

hartwork commented Oct 4, 2025

Copy link
Copy Markdown
Contributor Author

@vstinner I saw your related work in commit cb99d99. Would you be up for review here?

@hartwork

Copy link
Copy Markdown
Contributor Author

@picnixz I was hoping for this PR to be a quick and uncontroversial win for everyone. Would you be up to get this over the finish line with me? Else could you connect me to someone up for it? I believe @hedsnz uncovered some actual issues in #139313 that are worth addressing.

The keys ideas in this pull request are:

  • warn about ExternalEntityRefHandler right where users will be looking
  • try to make clear that XML issues are not a problem of Python in particular
  • that the defaults are pretty good by now
  • that >=2.6.0 is no longer recent enough but >=2.7.2
  • that use of system Expat depends on configuration while resisting to copy details but refer to another page
  • link to upstream Expat for users unknown to Expat

What do you think?

@picnixz picnixz self-requested a review October 13, 2025 17:53
Comment thread Doc/library/xml.rst Outdated
Comment thread Misc/NEWS.d/next/Documentation/2025-09-30-20-57-26.gh-issue-139313.ibcC9q.rst Outdated
@hartwork hartwork requested a review from vstinner October 14, 2025 13:29

@hedsnz hedsnz left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks very much @hartwork, this PR addresses everything in the issue I originally raised, and I think it strikes a good balance between giving enough background so that people know where to start looking for further information, while not giving so much information that is better documented elsewhere.

I've offered a couple of very minor wording suggestions.

Comment thread Doc/library/xml.rst Outdated
Comment thread Doc/library/xml.rst Outdated
Comment thread Doc/library/xml.rst Outdated
Original idea by @hedsnz with adjustments
As suggested by @vstinner
@hartwork

hartwork commented Oct 20, 2025

Copy link
Copy Markdown
Contributor Author

Thanks very much @hartwork, this PR addresses everything in the issue I originally raised, and I think it strikes a good balance between giving enough background so that people know where to start looking for further information, while not giving so much information that is better documented elsewhere.

@hedsnz cool, thanks for your support!

I've offered a couple of very minor wording suggestions.

Thanks for the review!

@hartwork

Copy link
Copy Markdown
Contributor Author

@vstinner could this be merged please please?

@StanFromIreland

Copy link
Copy Markdown
Member

Note that the general guideline around here is to wait a month before pinging, there is a long queue of PRs (>2000!).

@hartwork

hartwork commented Oct 24, 2025

Copy link
Copy Markdown
Contributor Author

@StanFromIreland I understand that the project has many other pull request but I'll be honest with you, I only jumped in to help with this PR here (that was not my own pain point) because I felt like it could be a quick win, and this pull request is way too trivial and tiny to have a life of 3 weeks in my book. It only means that I will twice to be the guy providing doc fixes like this next time. I'm not sure that's intended. I'm happy to team up with you personally on other pull request review in CPython as feasible if that helps you move faster on the queue. Thanks for considering my side.

@vstinner

Copy link
Copy Markdown
Member

@vstinner could this be merged please please?

I don't know XML very well. Maybe @encukou or @serhiy-storchaka would like to review it.

Comment thread Doc/library/pyexpat.rst Outdated
The previous version was apparantly not clear enough.
@hartwork

Copy link
Copy Markdown
Contributor Author

I don't know XML very well. Maybe @encukou or @serhiy-storchaka would like to review it.

@vstinner thanks!

(I was asking you because of your commit cb99d99 on Doc/library/xml.rst.)

@serhiy-storchaka serhiy-storchaka left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

Comment thread Doc/library/pyexpat.rst Outdated
Comment thread Doc/library/pyexpat.rst
Comment thread Doc/library/xml.rst

@vstinner vstinner left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Should we backport this change to 3.13 and 3.14?

@hartwork

Copy link
Copy Markdown
Contributor Author

LGTM.

@vstinner thank you!

Should we backport this change to 3.13 and 3.14?

I have a feeling the question is probably more towards other Python core devs. If you decide for it and @bedevere-bot has trouble auto-cherry-picking, I'll be happy to help with a manual backbort.

@serhiy-storchaka serhiy-storchaka added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Oct 29, 2025
@serhiy-storchaka

Copy link
Copy Markdown
Member

If it is worth to be committed in main, it should be backported.

@hartwork

hartwork commented Nov 5, 2025

Copy link
Copy Markdown
Contributor Author

Ready to merge?

@serhiy-storchaka serhiy-storchaka merged commit baa9f33 into python:main Nov 5, 2025
32 checks passed
@github-project-automation github-project-automation Bot moved this from Todo to Done in Docs PRs Nov 5, 2025
@miss-islington-app

Copy link
Copy Markdown

Thanks @hartwork for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Nov 5, 2025
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@bedevere-app

bedevere-app Bot commented Nov 5, 2025

Copy link
Copy Markdown

GH-141065 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Nov 5, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Nov 5, 2025
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@bedevere-app

bedevere-app Bot commented Nov 5, 2025

Copy link
Copy Markdown

GH-141066 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Nov 5, 2025
serhiy-storchaka pushed a commit that referenced this pull request Nov 5, 2025
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
serhiy-storchaka pushed a commit that referenced this pull request Nov 5, 2025
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
@hartwork

hartwork commented Nov 5, 2025

Copy link
Copy Markdown
Contributor Author

@serhiy-storchaka thank you! 🙏

@serhiy-storchaka

Copy link
Copy Markdown
Member

Thank you for your contribution.

StanFromIreland pushed a commit to StanFromIreland/cpython that referenced this pull request Dec 6, 2025
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs Documentation in the Doc dir skip news

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

5 participants