Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-42051: Reject XML entity declarations in plist files #22760

Merged
merged 1 commit into from
Oct 19, 2020
Merged

bpo-42051: Reject XML entity declarations in plist files #22760

merged 1 commit into from
Oct 19, 2020

Conversation

ronaldoussoren
Copy link
Contributor

@ronaldoussoren ronaldoussoren commented Oct 19, 2020
edited by bedevere-bot
Loading

plistlib uses ElementTree to parse XML files, and therefore is subject to a number of XML vulnerabilities. Those can be avoided by rejecting entity declarations in XML plist files.

Doing this is safe because Apple tools like plutil(1) also reject XML files with entity declarations.

https://bugs.python.org/issue42051

@ronaldoussoren ronaldoussoren self-assigned this Oct 19, 2020
tiran
tiran approved these changes Oct 19, 2020
View reviewed changes
Copy link
Member

@tiran tiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that's a simple and great solution for the issue. LGTM

@ronaldoussoren ronaldoussoren merged commit 05ee790 into python:master Oct 19, 2020
@bedevere-bot
Copy link

@ronaldoussoren: Please replace # with GH- in the commit message next time. Thanks!

@miss-islington
Copy link
Contributor

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 19, 2020
@ronaldoussoren @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
c7a5e2d 
)

(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
@bedevere-bot
Copy link

GH-22771 is a backport of this pull request to the 3.9 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Oct 19, 2020
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 19, 2020
@ronaldoussoren @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
893e001 
)

(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
@bedevere-bot
Copy link

GH-22772 is a backport of this pull request to the 3.8 branch.

@miss-islington
Copy link
Contributor

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒⛏🤖

@miss-islington
Copy link
Contributor

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

@miss-islington
Copy link
Contributor

Sorry, @ronaldoussoren, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.6

@miss-islington
Copy link
Contributor

Sorry @ronaldoussoren, I had trouble checking out the 3.7 backport branch.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.7

@miss-islington
Copy link
Contributor

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

@miss-islington
Copy link
Contributor

Sorry, @ronaldoussoren, I could not cleanly backport this to 3.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.7

@ned-deily
Copy link
Member

I'm looking at the conflicts.

ned-deily pushed a commit to ned-deily/cpython that referenced this pull request Oct 20, 2020
@ronaldoussoren @ned-deily
bpo-42051: Reject XML entity declarations in plist files (python#22760)
1f6b2bc
@bedevere-bot
Copy link

GH-22801 is a backport of this pull request to the 3.7 branch.

miss-islington added a commit that referenced this pull request Oct 20, 2020
@miss-islington @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (GH-22760)
479553c 
(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
miss-islington added a commit that referenced this pull request Oct 20, 2020
@miss-islington @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (GH-22760)
65894ca 
(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
ned-deily added a commit that referenced this pull request Oct 20, 2020
@ned-deily @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (#22760) (GH…
e512bc7 
…-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 20, 2020
@ned-deily @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
4d8f9e2 
) (pythonGH-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>
@ned-deily ned-deily added the type-security A security issue label Oct 20, 2020
ned-deily added a commit that referenced this pull request Oct 20, 2020
@miss-islington @ned-deily
bpo-42051: Reject XML entity declarations in plist files (GH-22760) (G…
a158fb9 
…H-22801) (GH-22804)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull request Dec 14, 2020
@miss-islington @mgorny
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
dd9ccc8 
) (pythonGH-22801) (pythonGH-22804)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>

Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
adorilson pushed a commit to adorilson/cpython that referenced this pull request Mar 13, 2021
@ronaldoussoren @adorilson
bpo-42051: Reject XML entity declarations in plist files (python#22760)
41d42d0
@vstinner vstinner mentioned this pull request Aug 24, 2023
Closed
icanhasmath added a commit to ActiveState/cpython that referenced this pull request Mar 12, 2024
@icanhasmath @ronaldoussoren @ned-deily
bpo-42051: Reject XML entity declarations in plist files (python#22760)…
31fdfbf 
… (GC-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: Ned Deily <nad@python.org>
rickprice added a commit to ActiveState/cpython that referenced this pull request Mar 12, 2024
@rickprice
Merge pull request #39 from ActiveState/BE-3614-CVE-2022-48565
b4803dd 
bpo-42051: Reject XML entity declarations in plist files (python#22760) (GC-22801)
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Jun 26, 2024
@icanhasmath @ronaldoussoren
@ned-deily @rickprice
bpo-42051: Reject XML entity declarations in plist files (python#22760)…
6c10354 
… (GC-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: Ned Deily <nad@python.org>
icanhasmath added a commit to ActiveState/cpython that referenced this pull request Jul 30, 2024
@icanhasmath
bpo-42051: Reject XML entity declarations in plist files (python#22760)…
4a93947 
… (GC-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: Ned Deily <nad@python.org>

Add InvalidFileException class.
RaisesRegex is RaisesRegexp in python2.
plistlib.loads is in the python3 version of plistlib,
but there are too many changes to backport this simply.
icanhasmath added a commit to ActiveState/cpython that referenced this pull request Jul 30, 2024
@icanhasmath
bpo-42051: Reject XML entity declarations in plist files (python#22760)…
236eac2 
… (GC-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: Ned Deily <nad@python.org>

Add InvalidFileException class.
RaisesRegex is RaisesRegexp in python2.
plistlib.loads is in the python3 version of plistlib,
but there are too many changes to backport this simply.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran approved these changes

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

@vstinner vstinner Awaiting requested review from vstinner

@1st1 1st1 Awaiting requested review from 1st1

Assignees

@ronaldoussoren ronaldoussoren

Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ronaldoussoren @bedevere-bot @miss-islington @ned-deily @tiran @serhiy-storchaka @the-knights-who-say-ni