gh-141994: Warn of XXE vulnerability in documentation of SAX feature `xml.sax.handler...

Doc/library/xml.sax.handler.rst: Warn of XXE with feature_external_ges

Related to commit baa9f338971c6a13433a8232db77cd45e6b87b77

diff --git a/Doc/library/xml.sax.handler.rst b/Doc/library/xml.sax.handler.rst
index 38ca4507d81e760b3910ee9dd769395234f84edd..f1af7253e437b446a8b8e73494c0b3d60786b75d 100644 (file)
--- a/Doc/library/xml.sax.handler.rst
+++ b/Doc/library/xml.sax.handler.rst
@@ -96,6 +96,14 @@ for the feature and property names.
 
 .. data:: feature_external_ges
 
+   .. warning::
+
+      Enabling opens a vulnerability to
+      `external entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_
+      if the parser is used with user-provided XML content.
+      Please reflect on your `threat model <https://en.wikipedia.org/wiki/Threat_model>`_
+      before enabling this feature.
+
    | value: ``"http://xml.org/sax/features/external-general-entities"``
    | true: Include all external general (text) entities.
    | false: Do not include external general entities.

diff --git a/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst
new file mode 100644 (file)
index 0000000..c370e8a
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2025-11-26-23-30-09.gh-issue-141994.arBEG6.rst
@@ -0,0 +1,4 @@
+:mod:`xml.sax.handler`: Make Documentation of
+:data:`xml.sax.handler.feature_external_ges` warn of opening up to `external
+entity attacks <https://en.wikipedia.org/wiki/XML_external_entity_attack>`_.
+Patch by Sebastian Pipping.