xml package does not obey ignore_environment¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
On two occasions, the xml package uses environment variables to override
parser / DOM implementations: xml.sax package and xml.dom.domreg
module. On both occasions, the code should not use env vars to override
module names, when the interpreter is started with flags like -E
or -I.
Dates:
- Disclosure date: 2018-09-24 (Python issue bpo-34791 reported)
Fixed In¶
- Python 2.7.16 (2019-03-02) fixed by commit 2546ac8 (branch 2.7) (2018-10-19)
- Python 3.4.10 (2019-03-18) fixed by commit 765d333 (branch 3.4) (2019-02-25)
- Python 3.5.7 (2019-03-18) fixed by commit 7cd08cf (branch 3.5) (2019-02-26)
- Python 3.6.8 (2018-12-23) fixed by commit 5e808f9 (branch 3.6) (2018-10-19)
- Python 3.7.2 (2018-12-23) fixed by commit c119d59 (branch 3.7) (2018-10-19)
- Python 3.8.0 (2019-10-14) fixed by commit 223e501 (branch 3.8) (2018-09-24)
Python issue¶
xml package does not obey sys.flags.ignore_environment.
- Python issue: bpo-34791
- Creation date: 2018-09-24
- Reporter: Christian Heimes
Timeline¶
Timeline using the disclosure date 2018-09-24 as reference:
- 2018-09-24: Python issue bpo-34791 reported by Christian Heimes
- 2018-09-24: commit 223e501 (branch 3.8)
- 2018-10-19 (+25 days): commit 2546ac8 (branch 2.7)
- 2018-10-19 (+25 days): commit 5e808f9 (branch 3.6)
- 2018-10-19 (+25 days): commit c119d59 (branch 3.7)
- 2018-12-23 (+90 days): Python 3.6.8 released
- 2018-12-23 (+90 days): Python 3.7.2 released
- 2019-02-25 (+154 days): commit 765d333 (branch 3.4)
- 2019-02-26 (+155 days): commit 7cd08cf (branch 3.5)
- 2019-03-02 (+159 days): Python 2.7.16 released
- 2019-03-18 (+175 days): Python 3.4.10 released
- 2019-03-18 (+175 days): Python 3.5.7 released
- 2019-10-14: Python 3.8.0 released