xml package does not obey ignore_environment

On two occasions, the xml package uses environment variables to override parser / DOM implementations: xml.sax package and xml.dom.domreg module. On both occasions, the code should not use env vars to override module names, when the interpreter is started with flags like -E or -I.

• Disclosure date: 2018-09-24 (Python issue bpo-34791 reported)

Fixed In

• Python 2.7.16 (2019-03-02) fixed by commit 2546ac8 (branch 2.7) (2018-10-19)
• Python 3.7.2 (2018-12-23) fixed by commit c119d59 (branch 3.7) (2018-10-19)

Vulnerable Versions

• Python 3.4
• Python 3.5
• Python 3.6

Python issue

xml package does not obey sys.flags.ignore_environment.

• Python issue: bpo-34791
• Creation date: 2018-09-24
• Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2018-09-24 as reference:

• 2018-09-24: Python issue bpo-34791 reported by Christian Heimes
• 2018-09-24 (+0 days): commit 223e501 (branch 3.8)
• 2018-10-19 (+25 days): commit 2546ac8 (branch 2.7)
• 2018-10-19 (+25 days): commit 5e808f9 (branch 3.6)
• 2018-10-19 (+25 days): commit c119d59 (branch 3.7)
• 2018-12-23 (+90 days): Python 3.7.2 released
• 2019-02-25 (+154 days): commit 765d333 (branch 3.4)
• 2019-02-26 (+155 days): commit 7cd08cf (branch 3.5)
• 2019-03-02 (+159 days): Python 2.7.16 released