diff options
| author |   Miss Skeleton (bot) <31488909+miss-islington@users.noreply.github.com> | 2020-10-19 21:38:30 -0700 |
|---|---|---|
| committer |   GitHub <noreply@github.com> | 2020-10-20 00:38:30 -0400 |
| commit | a158fb9c5138db94adf24fbc5690467cda811163 (patch) | |
| tree | eb519c962b5f50a0600e4db9150d8db94595b437 | |
| parent | Disable macOS CI tests in azure-pipelines (GH-22639) (diff) | |
| download | cpython-a158fb9c5138db94adf24fbc5690467cda811163.tar.gz cpython-a158fb9c5138db94adf24fbc5690467cda811163.tar.bz2 cpython-a158fb9c5138db94adf24fbc5690467cda811163.zip | |
bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) (GH-22804)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
Co-authored-by: Ned Deily <nad@python.org>
| -rw-r--r-- | Lib/plistlib.py | 7 | ||||
| -rw-r--r-- | Lib/test/test_plistlib.py | 18 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 |
3 files changed, 28 insertions, 0 deletions
diff --git a/Lib/plistlib.py b/Lib/plistlib.py index a9186437255..6e030f25b21 100644 --- a/Lib/plistlib.py +++ b/Lib/plistlib.py @@ -322,9 +322,16 @@ class _PlistParser: self.parser.StartElementHandler = self.handle_begin_element self.parser.EndElementHandler = self.handle_end_element self.parser.CharacterDataHandler = self.handle_data + self.parser.EntityDeclHandler = self.handle_entity_decl self.parser.ParseFile(fileobj) return self.root + def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name): + # Reject plist files with entity declarations to avoid XML vulnerabilies in expat. + # Regular plist files don't contain those declerations, and Apple's plutil tool does not + # accept them either. + raise InvalidFileException("XML entity declarations are not supported in plist files") + def handle_begin_element(self, element, attrs): self.data = [] handler = getattr(self, "begin_" + element, None) diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py index d47c607329c..abb1b81e6b0 100644 --- a/Lib/test/test_plistlib.py +++ b/Lib/test/test_plistlib.py @@ -90,6 +90,19 @@ TESTDATA={ xQHHAsQC0gAAAAAAAAIBAAAAAAAAADkAAAAAAAAAAAAAAAAAAALs'''), } +XML_PLIST_WITH_ENTITY=b'''\ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [ + <!ENTITY entity "replacement text"> + ]> +<plist version="1.0"> + <dict> + <key>A</key> + <string>&entity;</string> + </dict> +</plist> +''' + class TestPlistlib(unittest.TestCase): @@ -444,6 +457,11 @@ class TestPlistlib(unittest.TestCase): pl2 = plistlib.loads(data) self.assertEqual(dict(pl), dict(pl2)) + def test_xml_plist_with_entity_decl(self): + with self.assertRaisesRegex(plistlib.InvalidFileException, + "XML entity declarations are not supported"): + plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML) + class TestBinaryPlistlib(unittest.TestCase): diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst new file mode 100644 index 00000000000..e865ed12a03 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst @@ -0,0 +1,3 @@ +The :mod:`plistlib` module no longer accepts entity declarations in XML +plist files to avoid XML vulnerabilities. This should not affect users as +entity declarations are not used in regular plist files. |