Commit 64125a2 fixes billion laughs issue in SOAPpy. However, the way forbid_* defaults were chosen and how client and server parts call parseSOAPRPC, client side remains vulnerable to the billion laughs attack. Malicious SOAP server can cause SOAPpy client to use excessive amount of memory and CPU time.

FWIW, the _parseSOAP arguments seem confusing, given that ignore_ext overlaps with forbid_*, and that setting it to true disables not only external entities as the argument name suggests, but also internal entities.