gh-90949: expose Expat API to tune exponential expansion protections

[picnixz]

This is built on top of #139366.

cc @hartwork

• Issue: Expose Expat XML attack protection APIs #90949

---

📚 Documentation preview 📚: https://cpython-previews--139368.org.readthedocs.build/

[hartwork]

@picnixz already in pretty good shape 👍

[picnixz]

I've updated the PR from the web UI but I'll do the rest tomorrow.

[hartwork]

@picnixz I like this new version! 👍

One question: There were changes in here to the previous related news file. This is what it reads on main today:

# cat Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst
Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold`
and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification`
to :ref:`xmlparser <xmlparser-objects>` objects to prevent use of
disproportional amounts of dynamic memory from within an Expat parser.
Patch by Bénédikt Tran.

From what we discussed here, this should probably says things about tuning also?
Should you or me create a follow-up pull request to adjust that after this?

[picnixz]

I'll amend the NEWS as part of this PR.

[picnixz]

Since this is built on top of many other PRs, I'll just wait for the others to be backported first.

[hartwork]

Since this is built on top of many other PRs, I'll just wait for the others to be backported first.

@picnixz would the next step for #90949 be backporting this PR here to 3.10 to 3.14? If yes, should we include #139558 and #139800 and backport three in one? What do you think?

[miss-islington-app]

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

[miss-islington-app]

Sorry, @picnixz, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 666112376d574c7802646ee1df6244062671cd61 3.10

[miss-islington-app]

Sorry, @picnixz, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 666112376d574c7802646ee1df6244062671cd61 3.11

[miss-islington-app]

Sorry, @picnixz, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 666112376d574c7802646ee1df6244062671cd61 3.12

[miss-islington-app]

Sorry, @picnixz, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 666112376d574c7802646ee1df6244062671cd61 3.13

[miss-islington-app]

Sorry, @picnixz, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 666112376d574c7802646ee1df6244062671cd61 3.14

[picnixz]

@StanFromIreland I see that the backports here totally failed and then it passed under my radar. Could you backport this PR (and any other PRs that need to be backported with it, including docs changes) to 3.14 so that you're no more blocked? I'm sorry to dump my work on you but I won't be available otherwise for that today :(

[StanFromIreland]

It's fine, I've put it on my list, I'll get to it soon-ish.