Skip to content

Reconsider XML Security warnings / obsolete vulnerabilities #127502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hannob opened this issue Dec 2, 2024 · 2 comments
Open

Reconsider XML Security warnings / obsolete vulnerabilities #127502

hannob opened this issue Dec 2, 2024 · 2 comments
Labels
docs Documentation in the Doc dir topic-XML type-security A security issue

Comments

@hannob
Copy link

hannob commented Dec 2, 2024
edited by bedevere-app bot
Loading

Documentation

The documentation for the xml.etree.ElementTree API contains the following stark warning:
Warning: The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

Similar warnings exist on the documentation pages of other XML standard library functions.

From what I can tell, this warning is outdated, and should probably be reconsidered. If I look at the referenced info here
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
it does say "Vulnerable" for 3 of the 6 issues for the etree API, but each contains a footnote, essentially saying that this is no longer true for a current version of Expat.

Correct me if I'm wrong, but I interpret that this means using these APIs is fine and secure, as long as one does not use an outdated version of Expat with known vulnerabilities. I don't think this justifies the stark warning above.

Linked PRs
@hannob hannob added the docs Documentation in the Doc dir label Dec 2, 2024
@tomasr8 tomasr8 added the type-security A security issue label Dec 2, 2024
@encukou
Copy link
Member

encukou commented Jun 9, 2025

AFAIK, the table is based on the one in Christian's defusedxml.

@sethmlarson, do we have a better mechanism than tracking these in the docs?

I agree that the table is now obsolete. We might need a note that you need to keep the system expat up to date if using that, and perhaps links to CVEs.

Not sure about removing the note itself -- how careful should we be about unknown vulnerabilities?

vstinner added a commit to vstinner/cpython that referenced this issue Jun 9, 2025
@vstinner
pythongh-127502: Update XML vulnerability table
013a9ca 
Python 3.15 includes expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.
vstinner added a commit to vstinner/cpython that referenced this issue Jun 9, 2025
@vstinner
pythongh-127502: Update XML vulnerability table
2fb6d1f 
Python 3.11-3.15 include expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.
@bedevere-app bedevere-app bot mentioned this issue Jun 9, 2025
Open
@vstinner
Copy link
Member

vstinner commented Jun 9, 2025

I agree that the table is now obsolete.

I propose #135294 to update the stable. Windows and macOS use expat 2.7.1, most Linux distributions should use expat >= 2.6 (expat 2.6 was released in February 2024). There are (1) and (6) notes to indicate the minimum expat version which is safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir topic-XML type-security A security issue
Projects
docs issues
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vstinner @encukou @hannob @tomasr8 @picnixz