xml package does not obey ignore_environment


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

On two occasions, the xml package uses environment variables to override parser / DOM implementations: xml.sax package and xml.dom.domreg module. On both occasions, the code should not use env vars to override module names, when the interpreter is started with flags like -E or -I.


  • Disclosure date: 2018-09-24 (Python issue bpo-34791 reported)

Fixed In

Python issue

xml package does not obey sys.flags.ignore_environment.

  • Python issue: bpo-34791
  • Creation date: 2018-09-24
  • Reporter: Christian Heimes


Timeline using the disclosure date 2018-09-24 as reference: