gh-127502: Update XML vulnerability table

[vstinner]

Python 3.11-3.15 include expat 2.7.1 which is not vulnerable.

expat 2.6.0 was released in February 2024.

• Issue: Reconsider XML Security warnings / obsolete vulnerabilities #127502

---

📚 Documentation preview 📚: https://cpython-previews--135294.org.readthedocs.build/

[encukou]

Do you think the table should be kept, now that it says Safe almost everywhere?

[vstinner]

Do you think the table should be kept, now that it says Safe almost everywhere?

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

The question is more if we need to keep the big red warning at the top:

The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the XML vulnerabilities and The defusedxml Package sections.

Maybe this warning can just be removed.

Since Python XML modules are now safe by default, we can maybe remove references to the defusedxml project which is no longer needed.

Note: The latest defused version (0.7.0) was released in 2021. There is a 0.8.0rc2 version around since September 2023 with no final release. The project seems to be unmaintained (latest commit: 2 years ago).

[vstinner]

I updated my PR to remove the red warning and remove references to defusedxml.

[hannob]

There are similar warnings in several other files, e.g.:

Doc/library/xml.etree.elementtree.rst
Doc/library/xml.dom.pulldom.rst
Doc/library/xml.dom.minidom.rst
Doc/library/xml.sax.rst

[vstinner]

There are similar warnings in several other files

Good catch. I replaced most warnings with notes. I replaced also "XML Vulnerabilities" with "XML Security".

I kept the warnings for XML-RPC client and server since the XML table still says that XML-RPC is vulnerable to decompression bomb.

[encukou]

The table has many notes with pyexpat versions. There are likely old Python versions in the wild with old pyexat versions.

So maybe the whole table, and the list of vulnerabilities, could be replaced with something like: “Expat versions lower that 2.6.0 may be vulnerable to :cve:xxx-xxx and :cve:xxx-xxx. Python may be vulnerable if it uses such older versions of Expat as a system-provided library, it may be vulnerable. Check :const:!pyexpat.EXPAT_VERSION.”
and maybe a link to defusedxml for details?

@sethmlarson, is it OK to remove the note “The XML processing modules arenot secure against maliciously constructed data”, if all known vulnerabilities are fixed?

[vstinner]

On Linux, Python is usually linked to the system expat library, and so we don't control the expat version. For this reason, I would prefer to keep the table for now. The table contains a lot of information and has many notes.

[vstinner]

@encukou: I removed the table, please review again.

[vstinner]

cc @serhiy-storchaka

[sethmlarson]

@encukou Apologies for the delay, I'm now back from all the conferences in June. I think we're good to remove the table and mentions of "don't use with untrusted data" if we have remediated all known vulnerabilities. Thanks for this!

[vstinner]

@encukou @serhiy-storchaka: What do you think of the updated PR? I addressed your reviews.

[serhiy-storchaka]

LGTM.

[miss-islington-app]

Thanks @vstinner for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

[encukou]

Thank you!

[bedevere-app]

GH-136359 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-136360 is a backport of this pull request to the 3.13 branch.

[vstinner]

Thanks for reviews.