Skip to content

gh-90949: expose Expat API to tune exponential expansion protections#139368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
picnixz merged 7 commits into from
Sep 28, 2025
Merged

gh-90949: expose Expat API to tune exponential expansion protections #139368

picnixz merged 7 commits into from
Sep 28, 2025

Conversation

@picnixz
Copy link
Member

@picnixzpicnixz commented Sep 26, 2025
edited by github-actions bot
Loading

@bedevere-appbedevere-appbot mentioned this pull request Sep 26, 2025
Open
hartwork
hartwork suggested changes Sep 26, 2025
View reviewed changes
Copy link
Contributor

@hartworkhartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@picnixz already in pretty good shape 👍

picnixz
picnixz commented Sep 26, 2025
View reviewed changes
Copy link
MemberAuthor

@picnixzpicnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the PR from the web UI but I'll do the rest tomorrow.

gpshead
gpshead reviewed Sep 27, 2025
View reviewed changes
@picnixzpicnixz changed the title gh-90949: expose Expat mitigation API to prevent exponential expansionsgh-90949: expose Expat API to prevent exponential expansionsSep 27, 2025
hartwork
hartwork approved these changes Sep 27, 2025
View reviewed changes
Copy link
Contributor

@hartworkhartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@picnixz I like this new version! 👍

One question: There were changes in here to the previous related news file. This is what it reads on main today:

# cat Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rstAdd :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold`and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification`to :ref:`xmlparser <xmlparser-objects>` objects to prevent use ofdisproportional amounts of dynamic memory from within an Expat parser.Patch by Bénédikt Tran.

From what we discussed here, this should probably says things about tuning also?
Should you or me create a follow-up pull request to adjust that after this?

@picnixz
Copy link
MemberAuthor

picnixz commented Sep 27, 2025

I'll amend the NEWS as part of this PR.

@picnixzpicnixz enabled auto-merge (squash) September 28, 2025 07:58
@picnixzpicnixz changed the title gh-90949: expose Expat API to prevent exponential expansionsgh-90949: expose Expat API to tune exponential expansion protectionsSep 28, 2025
@picnixzpicnixz merged commit 6661123 into python:mainSep 28, 2025
45 checks passed
@picnixzpicnixz deleted the feat/xml/1e9-lolz-api-90949 branch September 28, 2025 08:37
@picnixz
Copy link
MemberAuthor

picnixz commented Sep 28, 2025

Since this is built on top of many other PRs, I'll just wait for the others to be backported first.

This was referenced Oct 4, 2025
Merged
Merged
@picnixzpicnixz mentioned this pull request Oct 26, 2025
Merged
@hartwork
Copy link
Contributor

hartwork commented Dec 17, 2025

Since this is built on top of many other PRs, I'll just wait for the others to be backported first.

@picnixz would the next step for #90949 be backporting this PR here to 3.10 to 3.14? If yes, should we include #139558 and #139800 and backport three in one? What do you think?

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpsheadgpsheadgpshead approved these changes

@AA-TurnerAA-TurnerAwaiting requested review from AA-TurnerAA-Turner is a code owner

+1 more reviewer

@hartworkhartworkhartwork approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@picnixz@hartwork@gpshead