gh-141994: Warn of XXE vulnerability in documentation of SAX feature xml.sax.handler.feature_external_ges (GH-141996)

hartwork · web-flow · commit 440bcb945609 · 2025-11-28T23:08:17.000-08:00
Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges Related to commit baa9f33
diff --git a/Doc/library/xml.sax.handler.rst b/Doc/library/xml.sax.handler.rst
@@ -96,6 +96,14 @@ for the feature and property names.
 
 .. data:: feature_external_ges
 
+   .. warning::
+
+      Enabling opens a vulnerability to
+      `external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_
+      if the parser is used with user-provided XML content.
+      Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_
+      before enabling this feature.
+
    | value: ``"http://xml.org/sax/features/external-general-entities"``
    | true: Include all external general (text) entities.
    | false: Do not include external general entities.
diff --git a/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst
@@ -0,0 +1,4 @@
+:mod:`xml.sax.handler`: Make Documentation of
+:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external
+entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_.
+Patch by Sebastian Pipping.
