Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-19 16:03:42 +00:00
Code Issues Projects Releases Packages Wiki Activity

gh-90949: Recommend hasattr with Expat security methods (#139800)

Browse source
This commit is contained in:
Sebastian Pipping 2025-10-14 12:18:09 +02:00 committed by GitHub
parent 13e9c2d18d
commit 0c17473513
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 32 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

28
Doc/library/pyexpat.rst
View file

@ -223,10 +223,10 @@ XMLParser Objects
Calling ``SetReparseDeferralEnabled(True)`` allows re-enabling reparse
deferral.
Note that :meth:`SetReparseDeferralEnabled` has been backported to some
prior releases of CPython as a security fix. Check for availability of
:meth:`SetReparseDeferralEnabled` using :func:`hasattr` if used in code
running across a variety of Python versions.
:meth:`!SetReparseDeferralEnabled`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. versionadded:: 3.13
@ -257,6 +257,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
:meth:`!SetBillionLaughsAttackProtectionActivationThreshold`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. note::
Activation thresholds below 4 MiB are known to break support for DITA 1.3
@ -288,6 +293,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
:meth:`!SetBillionLaughsAttackProtectionMaximumAmplification`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. note::
The maximum amplification factor is only considered if the threshold
@ -309,6 +319,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
:meth:`!SetAllocTrackerActivationThreshold`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. versionadded:: next
.. method:: xmlparser.SetAllocTrackerMaximumAmplification(max_factor, /)
@ -334,6 +349,11 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.
:meth:`!SetAllocTrackerMaximumAmplification`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. note::
The maximum amplification factor is only considered if the threshold

16
Doc/library/xml.etree.elementtree.rst
View file

@ -1398,10 +1398,10 @@ XMLParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for details.
Note that :meth:`flush` has been backported to some prior releases of
CPython as a security fix. Check for availability of :meth:`flush`
using :func:`hasattr` if used in code running across a variety of Python
versions.
:meth:`!flush`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. versionadded:: 3.13
@ -1476,10 +1476,10 @@ XMLPullParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for details.
Note that :meth:`flush` has been backported to some prior releases of
CPython as a security fix. Check for availability of :meth:`flush`
using :func:`hasattr` if used in code running across a variety of Python
versions.
:meth:`!flush`
has been backported to some prior releases of CPython as a security fix.
Check for availability using :func:`hasattr` if used in code running
across a variety of Python versions.
.. versionadded:: 3.13