[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ned Deily added the comment: New changeset a158fb9c5138db94adf24fbc5690467cda811163 by Miss Skeleton (bot) in branch '3.6': bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) (GH-22804)

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by miss-islington : -- pull_requests: +21761 pull_request: https://github.com/python/cpython/pull/22804 ___ Python tracker ___

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ned Deily added the comment: New changeset e512bc799e3864fe3b1351757261762d63471efc by Ned Deily in branch '3.7': bpo-42051: Reject XML entity declarations in plist files (#22760) (GH-22801) https://github.com/python/cpython/commit/e512bc799e3864fe3b1351757261762d63471efc --

[issue42051] plistlib inherits XML vulnerabilities: we should document them

miss-islington added the comment: New changeset 65894cac0835cb8f469f649e20aa1be8bf89f5ae by Miss Skeleton (bot) in branch '3.8': bpo-42051: Reject XML entity declarations in plist files (GH-22760) https://github.com/python/cpython/commit/65894cac0835cb8f469f649e20aa1be8bf89f5ae --

[issue42051] plistlib inherits XML vulnerabilities: we should document them

miss-islington added the comment: New changeset 479553c7c11306a09ce34edb6ef208133b7b95fe by Miss Skeleton (bot) in branch '3.9': bpo-42051: Reject XML entity declarations in plist files (GH-22760) https://github.com/python/cpython/commit/479553c7c11306a09ce34edb6ef208133b7b95fe --

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by Ned Deily : -- nosy: +ned.deily nosy_count: 5.0 -> 6.0 pull_requests: +21758 pull_request: https://github.com/python/cpython/pull/22801 ___ Python tracker ___

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by miss-islington : -- nosy: +miss-islington nosy_count: 4.0 -> 5.0 pull_requests: +21733 pull_request: https://github.com/python/cpython/pull/22771 ___ Python tracker

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by miss-islington : -- pull_requests: +21734 pull_request: https://github.com/python/cpython/pull/22772 ___ Python tracker ___

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ronald Oussoren added the comment: New changeset 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 by Ronald Oussoren in branch 'master': bpo-42051: Reject XML entity declarations in plist files (#22760) https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 --

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ronald Oussoren added the comment: The PR is fairly simple: Just reject files with entity declarations as invalid files. Adding an option to accept entity declarations should not be necessary as Apple tools won't accept these declarations. -- ___

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by Ronald Oussoren : -- keywords: +patch pull_requests: +21725 stage: -> patch review pull_request: https://github.com/python/cpython/pull/22760 ___ Python tracker ___

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ronald Oussoren added the comment: I'm working on a PR. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Serhiy Storchaka added the comment: Oh, I missed that there is a handler for EntityDecl. Well, then we can fix this issue in few lines of code. I think it should be backported. We can add private flag (global or class variable) to enable entity declarations, but do not support them in 3.10.

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ronald Oussoren added the comment: One option is to copy what defusedxml does to forbid a number of unsafe operations, see https://github.com/tiran/defusedxml/blob/eb38a2d710b67df48614cb5098ddb8472289ce6d/defusedxml/ElementTree.py#L68 Defusedxml uses an XMLParser subclass that optionally

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Serhiy Storchaka added the comment: Seems that we can not control entity definitions and expansions. We only can limit the number of expanded entities per element (the size of self.data). What is the reasonable default limit (taking into account that every and is a separate entity)? How

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Ronald Oussoren added the comment: Is there something we could do in plistlib to avoid those problems? Plist XML files are not arbitrary XML. In particular disabling entity definitions would avoid the problems mentioned as plist files should not contain those. That said, a quick glance at

[issue42051] plistlib inherits XML vulnerabilities: we should document them

Change by STINNER Victor : -- nosy: +serhiy.storchaka ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42051] plistlib inherits XML vulnerabilities: we should document them

New submission from STINNER Victor : The XML documentation starts with a red warning: "Warning: The XML modules are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data see the XML vulnerabilities and The defusedxml Package