picnixz
commented
2 weeks ago @hartwork Is this one needed for security reasons or bug fixes? (I assumed no, hence the "feature request"). Depending on your answer, we would need to backport it.
Open hartwork opened 2 weeks ago
picnixz
commented
2 weeks ago @hartwork Is this one needed for security reasons or bug fixes? (I assumed no, hence the "feature request"). Depending on your answer, we would need to backport it.
hartwork
commented
2 weeks ago @picnixz it was introduced by a security fix (at https://github.com/libexpat/libexpat/pull/915/commits/51c7019069b862e88d94ed228659e70bddd5de09). I would like to vote for backporting because the underlying Expat is moving and hence could start producing that error code and distros will be backporting the security fix. I can help with the backport as needed. What do you think?
picnixz
commented
2 weeks ago I would like to vote for backporting
In general, we have a strict policy of what we backport and when. Bug fixes are backported up to the oldstable version (3.12) while security fixes are backported to all security branches (3.9+).
could start producing that error code
If it can produce that error code and can be reachable from Python (not C) code, then I think it makes sense to backport it as far as https://github.com/python/cpython/issues/126623 is backported. Having had a look at your PR, I think it can be reachable from pure Python code (namely the user can see such error). So I'll categorize this one as a security issue as well (not strictly a security issue, just that it's a follow-up to https://github.com/python/cpython/issues/126623).
I can help with the backport as needed
I don't think it'll be needed since the bot will likely handle them if there's no conflict. If there are conflicts, they'll likely be easy to fix (if not, you can definitely help).
hartwork
commented
2 weeks ago @picnixz I just found that the XML_StopParser C-API is not exposed through CPython yet — #59979 — which makes this error code not likely to be observable from CPython then. It will likely not need a backport then.
picnixz
commented
2 weeks ago Oh, then I'll consider it as a new feature. Sorry for the noise!
hartwork
commented
2 weeks ago @picnixz I learned something in the process, no worries. Thanks for the discussion.
Bug report
Bug description:
The error code was introduced by a security fix (at https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09) but the XML_StopParser C-API is not exposed through CPython yet so it should not be possible to encounter such error. In particular, exposing the error code can be considered a feature or postpone until https://github.com/python/cpython/issues/59979 is resolved.
CPython versions tested on:
3.9, 3.10, 3.11, 3.12, 3.13, 3.14, CPython main branch
Operating systems tested on:
Linux, macOS, Windows, Other
Linked PRs