Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

xml.sax.handler.feature_external_ges documentation fails to warn users of getting themselves into XXE territory #141994

Closed
Labels
docsDocumentation in the Doc dirtopic-XML
@hartwork

Description

@hartwork

Documentation

The currentdocumentation onxml.sax.handler.feature_external_ges

Image

…fails to warn that enablingfeature_external_ges will make the XML parser vulnerable toexternal entity attacks.

For a demo:

# Copyright (c) 2025 Sebastian Pipping <sebastian@pipping.org># SPDX-License-Identifier: 0BSDfromioimportStringIOfromtextwrapimportdedentfromxml.sax.expatreaderimportcreate_parserfromxml.sax.handlerimportfeature_external_gesparser=create_parser()parser.setFeature(feature_external_ges,1)content=dedent("""\    <!DOCTYPE root SYSTEM "https://host.invalid/404.dtd">    <root/>""")parser.parse(StringIO(content))

CC@picnixz@hannob

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    docsDocumentation in the Doc dirtopic-XML

    Projects

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp