.. _xml-pakage-ignore-environment:

xml package does not obey ignore_environment
============================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

On two occasions, the xml package uses environment variables to override
parser / DOM implementations: ``xml.sax package`` and ``xml.dom.domreg``
module. On both occasions, the code should not use env vars to override
module names, when the interpreter is started with flags like ``-E``
or ``-I``.

Dates:

* Disclosure date: **2018-09-24** (Python issue bpo-34791 reported)

Fixed In
--------

* Python **2.7.16** (2019-03-02) fixed by `commit 2546ac8 (branch 2.7) <https://github.com/python/cpython/commit/2546ac8eeb56fc146adea9a03158440a9271714e>`_ (2018-10-19)
* Python **3.4.10** (2019-03-18) fixed by `commit 765d333 (branch 3.4) <https://github.com/python/cpython/commit/765d333512e9b58da4a4431595a0e81517ef0443>`_ (2019-02-25)
* Python **3.5.7** (2019-03-18) fixed by `commit 7cd08cf (branch 3.5) <https://github.com/python/cpython/commit/7cd08cf62086a8a2d84fd825dfcd8bfe33bf1986>`_ (2019-02-26)
* Python **3.6.8** (2018-12-23) fixed by `commit 5e808f9 (branch 3.6) <https://github.com/python/cpython/commit/5e808f92ea4eb238b17757526b99f97debf7dd57>`_ (2018-10-19)
* Python **3.7.2** (2018-12-23) fixed by `commit c119d59 (branch 3.7) <https://github.com/python/cpython/commit/c119d5948f941d2f528dda3f099e196bd6383000>`_ (2018-10-19)
* Python **3.8.0** (2019-10-14) fixed by `commit 223e501 (branch 3.8) <https://github.com/python/cpython/commit/223e501fb9c2b6ae21b96054e20c4c31d94a5d96>`_ (2018-09-24)

Python issue
------------

xml package does not obey sys.flags.ignore_environment.

* Python issue: `bpo-34791 <https://bugs.python.org/issue34791>`_
* Creation date: 2018-09-24
* Reporter: Christian Heimes

Timeline
--------

Timeline using the disclosure date **2018-09-24** as reference:

* 2018-09-24: `Python issue bpo-34791 <https://bugs.python.org/issue34791>`_ reported by Christian Heimes
* 2018-09-24: `commit 223e501 (branch 3.8) <https://github.com/python/cpython/commit/223e501fb9c2b6ae21b96054e20c4c31d94a5d96>`_
* 2018-10-19 (**+25 days**): `commit 2546ac8 (branch 2.7) <https://github.com/python/cpython/commit/2546ac8eeb56fc146adea9a03158440a9271714e>`_
* 2018-10-19 (**+25 days**): `commit 5e808f9 (branch 3.6) <https://github.com/python/cpython/commit/5e808f92ea4eb238b17757526b99f97debf7dd57>`_
* 2018-10-19 (**+25 days**): `commit c119d59 (branch 3.7) <https://github.com/python/cpython/commit/c119d5948f941d2f528dda3f099e196bd6383000>`_
* 2018-12-23 (**+90 days**): Python 3.6.8 released
* 2018-12-23 (**+90 days**): Python 3.7.2 released
* 2019-02-25 (**+154 days**): `commit 765d333 (branch 3.4) <https://github.com/python/cpython/commit/765d333512e9b58da4a4431595a0e81517ef0443>`_
* 2019-02-26 (**+155 days**): `commit 7cd08cf (branch 3.5) <https://github.com/python/cpython/commit/7cd08cf62086a8a2d84fd825dfcd8bfe33bf1986>`_
* 2019-03-02 (**+159 days**): Python 2.7.16 released
* 2019-03-18 (**+175 days**): Python 3.4.10 released
* 2019-03-18 (**+175 days**): Python 3.5.7 released
* 2019-10-14: Python 3.8.0 released