From 57f936ecdea75cfa1a7edee72fbca41b7d814796 Mon Sep 17 00:00:00 2001 From: Georg Brandl Date: Sat, 12 Oct 2013 18:19:33 +0200 Subject: [PATCH] Closes #19179: make table of XML vulnerabilities clearer by using "everyday" booleans and explaining the table beforehand. --- Doc/library/xml.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst index d255f7fcc68..d796d828ab8 100644 --- a/Doc/library/xml.rst +++ b/Doc/library/xml.rst @@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or to or circumvent firewalls. The attacks on XML abuse unfamiliar features like inline `DTD`_ (document type definition) with entities. +The following table gives an overview of the known attacks and if the various +modules are vulnerable to them. ========================= ======== ========= ========= ======== ========= kind sax etree minidom pulldom xmlrpc ========================= ======== ========= ========= ======== ========= -billion laughs **True** **True** **True** **True** **True** -quadratic blowup **True** **True** **True** **True** **True** -external entity expansion **True** False (1) False (2) **True** False (3) -DTD retrieval **True** False False **True** False -decompression bomb False False False False **True** +billion laughs **Yes** **Yes** **Yes** **Yes** **Yes** +quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes** +external entity expansion **Yes** No (1) No (2) **Yes** No (3) +DTD retrieval **Yes** No No **Yes** No +decompression bomb No No No No **Yes** ========================= ======== ========= ========= ======== ========= 1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a