Skip to content

Reconsider XML Security warnings / obsolete vulnerabilities #127502

New issue
New issue
Open
Open
Reconsider XML Security warnings / obsolete vulnerabilities#127502
Labels
docsDocumentation in the Doc dirtopic-XMLtype-securityA security issue
@hannob

Description

@hannob
hannob
opened on Dec 2, 2024

Documentation

The documentation for the xml.etree.ElementTree API contains the following stark warning:
Warning: The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

Similar warnings exist on the documentation pages of other XML standard library functions.

From what I can tell, this warning is outdated, and should probably be reconsidered. If I look at the referenced info here
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
it does say "Vulnerable" for 3 of the 6 issues for the etree API, but each contains a footnote, essentially saying that this is no longer true for a current version of Expat.

Correct me if I'm wrong, but I interpret that this means using these APIs is fine and secure, as long as one does not use an outdated version of Expat with known vulnerabilities. I don't think this justifies the stark warning above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    docsDocumentation in the Doc dirtopic-XMLtype-securityA security issue

    Projects

    docs issues

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions