Skip to content

gh-90949: expose Expat API to tune exponential expansion protections #139368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 28, 2025
Merged

gh-90949: expose Expat API to tune exponential expansion protections #139368

merged 7 commits into from
Sep 28, 2025

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Sep 26, 2025
edited by github-actions bot
Loading

@picnixz picnixz requested a review from AA-Turner as a code owner September 26, 2025 16:38
@bedevere-app bedevere-app bot mentioned this pull request Sep 26, 2025
Open
hartwork
hartwork suggested changes Sep 26, 2025
View reviewed changes
Copy link
Contributor

@hartwork hartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@picnixz already in pretty good shape 👍

picnixz
picnixz commented Sep 26, 2025
View reviewed changes
Copy link
Member Author

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the PR from the web UI but I'll do the rest tomorrow.

gpshead
gpshead reviewed Sep 27, 2025
View reviewed changes
@picnixz picnixz requested review from gpshead and hartwork September 27, 2025 08:19
@picnixz picnixz changed the title gh-90949: expose Expat mitigation API to prevent exponential expansions gh-90949: expose Expat API to prevent exponential expansions Sep 27, 2025
hartwork
hartwork approved these changes Sep 27, 2025
View reviewed changes
Copy link
Contributor

@hartwork hartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@picnixz I like this new version! 👍

One question: There were changes in here to the previous related news file. This is what it reads on main today:

# cat Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst
Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold`
and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification`
to :ref:`xmlparser <xmlparser-objects>` objects to prevent use of
disproportional amounts of dynamic memory from within an Expat parser.
Patch by Bénédikt Tran.

From what we discussed here, this should probably says things about tuning also?
Should you or me create a follow-up pull request to adjust that after this?

@picnixz
Copy link
Member Author

picnixz commented Sep 27, 2025

I'll amend the NEWS as part of this PR.

@picnixz picnixz enabled auto-merge (squash) September 28, 2025 07:58
@picnixz picnixz changed the title gh-90949: expose Expat API to prevent exponential expansions gh-90949: expose Expat API to tune exponential expansion protections Sep 28, 2025
@picnixz picnixz merged commit 6661123 into python:main Sep 28, 2025
45 checks passed
@picnixz picnixz deleted the feat/xml/1e9-lolz-api-90949 branch September 28, 2025 08:37
@picnixz
Copy link
Member Author

picnixz commented Sep 28, 2025

Since this is built on top of many other PRs, I'll just wait for the others to be backported first.

This was referenced Oct 4, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@AA-Turner AA-Turner Awaiting requested review from AA-Turner AA-Turner is a code owner

+1 more reviewer

@hartwork hartwork hartwork approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@picnixz @gpshead @hartwork