Closes #19179: make table of XML vulnerabilities clearer by using "everyday" booleans and explaining the table beforehand.

2013-10-12 18:19:33 +02:00 · 2013-10-12 18:19:33 +02:00 · 57f936ecde
parent d8ede4fddd
commit 57f936ecde
1 changed files with 7 additions and 5 deletions
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or
 to or circumvent firewalls. The attacks on XML abuse unfamiliar features
 like inline `DTD`_ (document type definition) with entities.

+The following table gives an overview of the known attacks and if the various
+modules are vulnerable to them.

 =========================  ========  =========  =========  ========  =========
 kind                       sax       etree      minidom    pulldom   xmlrpc
 =========================  ========  =========  =========  ========  =========
-billion laughs             **True**  **True**   **True**   **True**  **True**
-quadratic blowup           **True**  **True**   **True**   **True**  **True**
-external entity expansion  **True**  False (1)  False (2)  **True**  False (3)
-DTD retrieval              **True**  False      False      **True**  False
-decompression bomb         False     False      False      False     **True**
+billion laughs             **Yes**   **Yes**    **Yes**    **Yes**   **Yes**
+quadratic blowup           **Yes**   **Yes**    **Yes**    **Yes**   **Yes**
+external entity expansion  **Yes**   No    (1)  No    (2)  **Yes**   No    (3)
+DTD retrieval              **Yes**   No         No         **Yes**   No
+decompression bomb         No        No         No         No        **Yes**
 =========================  ========  =========  =========  ========  =========

 1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a