Skip to content

gh-90949: Recommend hasattr with Expat security methods #139800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Oct 14, 2025
Merged

gh-90949: Recommend hasattr with Expat security methods #139800

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
834a7e0
Doc/library/pyexpat.rst: Recommend "hasattr" with Expat security methods
hartwork Oct 8, 2025
828f786
Doc/library/pyexpat.rst: Use ".. note::" with SetReparseDeferralEnabled
hartwork Oct 8, 2025
c932512
Doc/library/xml.etree.elementtree.rst: Use ".. note::" for backport n…
hartwork Oct 8, 2025
32d51e3
Doc/library/xml.etree.elementtree.rst: Add missing indent by 3
hartwork Oct 8, 2025
67b5221
Add an exclemation mark to suppress distracting links
hartwork Oct 9, 2025
5014423
Demo more quiet version without ".. note::"
hartwork Oct 9, 2025
a4f79ad
Revert accidental addition of blank line
hartwork Oct 13, 2025
d5ecaa2
Drop "Note that " at the start of the sentence
hartwork Oct 13, 2025
6e397c4
Resolve double self reference
hartwork Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 35 additions & 4 deletions Doc/library/pyexpat.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,10 +223,12 @@ XMLParser Objects
Calling ``SetReparseDeferralEnabled(True)`` allows re-enabling reparse
deferral.

Note that :meth:`SetReparseDeferralEnabled` has been backported to some
prior releases of CPython as a security fix. Check for availability of
:meth:`SetReparseDeferralEnabled` using :func:`hasattr` if used in code
running across a variety of Python versions.
Note that :meth:`!SetReparseDeferralEnabled`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!SetReparseDeferralEnabled`
using :func:`hasattr` if used in code running across a variety of Python
versions.

.. versionadded:: 3.13

Expand Down Expand Up @@ -257,11 +259,19 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.

Note that :meth:`!SetBillionLaughsAttackProtectionActivationThreshold`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!SetBillionLaughsAttackProtectionActivationThreshold`
using :func:`hasattr` if used in code running across a variety of Python
versions.

.. note::

Activation thresholds below 4 MiB are known to break support for DITA 1.3
payload and are hence not recommended.


.. versionadded:: next

.. method:: xmlparser.SetBillionLaughsAttackProtectionMaximumAmplification(max_factor, /)
Expand All @@ -288,6 +298,13 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.

Note that :meth:`!SetBillionLaughsAttackProtectionMaximumAmplification`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!SetBillionLaughsAttackProtectionMaximumAmplification`
using :func:`hasattr` if used in code running across a variety of Python
versions.

.. note::

The maximum amplification factor is only considered if the threshold
Expand All @@ -309,6 +326,13 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.

Note that :meth:`!SetAllocTrackerActivationThreshold`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!SetAllocTrackerActivationThreshold`
using :func:`hasattr` if used in code running across a variety of Python
versions.

.. versionadded:: next

.. method:: xmlparser.SetAllocTrackerMaximumAmplification(max_factor, /)
Expand All @@ -334,6 +358,13 @@ against some common XML vulnerabilities.
The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
should not be used as they may have no special meaning.

Note that :meth:`!SetAllocTrackerMaximumAmplification`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!SetAllocTrackerMaximumAmplification`
using :func:`hasattr` if used in code running across a variety of Python
versions.

.. note::

The maximum amplification factor is only considered if the threshold
Expand Down
12 changes: 8 additions & 4 deletions Doc/library/xml.etree.elementtree.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1398,8 +1398,10 @@ XMLParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for details.

Note that :meth:`flush` has been backported to some prior releases of
CPython as a security fix. Check for availability of :meth:`flush`
Note that :meth:`!flush`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!flush`
using :func:`hasattr` if used in code running across a variety of Python
versions.

Expand Down Expand Up @@ -1476,8 +1478,10 @@ XMLPullParser Objects
Disabling reparse deferral has security consequences; please see
:meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` for details.

Note that :meth:`flush` has been backported to some prior releases of
CPython as a security fix. Check for availability of :meth:`flush`
Note that :meth:`!flush`
has been backported to some prior releases of CPython as a security fix.
Check for availability of
:meth:`!flush`
using :func:`hasattr` if used in code running across a variety of Python
versions.

Expand Down
Loading