[Question] Which versions of the xml libraries are vulnerable?
swamper123 opened this issue · 2 comments
Hello there,
I found this library a couple of days ago and saw the list about the vulnerabilities of other xml libraries.
On what versions is this table based? Always the newest version?
The Python standard library documentation lists version numbers:
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
My understanding is that the listed APIs such as ElementTree are ultimately based on the expat C library which is vulnerable against billion laughs and quadratic blowup in versions before 2.4.1.
Thus, if your Python is linked against expat >= 2.4.1 and you are using - say - ElementTree your code should be safe against these attacks, even without defusedxml. At least according to the official Python standard library documentation.
FWIW, for reference, my Fedora 37 system currently provides expat 2.5.0 against which packaged Python 3.11 indeed links against, in the form of /usr/lib64/libexpat.so.1.8.10 - which is owned by the expat-2.5.0 package.
I have updated the documentation. It now mentions the billion laughs mitigation in libexpat as well as another change in Python's stdlib related to file and network lookups.