bpo-42051: Reject XML entity declarations in plist files (#22760)

This commit is contained in:
Ronald Oussoren 2020-10-19 20:13:49 +02:00 committed by GitHub
parent 985f0ab3ad
commit 05ee790f4d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 0 deletions

View File

@ -173,9 +173,16 @@ class _PlistParser:
self.parser.StartElementHandler = self.handle_begin_element
self.parser.EndElementHandler = self.handle_end_element
self.parser.CharacterDataHandler = self.handle_data
self.parser.EntityDeclHandler = self.handle_entity_decl
self.parser.ParseFile(fileobj)
return self.root
def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
# Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
# Regular plist files don't contain those declerations, and Apple's plutil tool does not
# accept them either.
raise InvalidFileException("XML entity declarations are not supported in plist files")
def handle_begin_element(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)

View File

@ -106,6 +106,19 @@ TESTDATA={
AAABOQ=='''),
}
XML_PLIST_WITH_ENTITY=b'''\
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
<!ENTITY entity "replacement text">
]>
<plist version="1.0">
<dict>
<key>A</key>
<string>&entity;</string>
</dict>
</plist>
'''
class TestPlistlib(unittest.TestCase):
@ -524,6 +537,11 @@ class TestPlistlib(unittest.TestCase):
with self.assertRaises(OverflowError):
plistlib.dumps(huge_uid, fmt=plistlib.FMT_BINARY)
def test_xml_plist_with_entity_decl(self):
with self.assertRaisesRegex(plistlib.InvalidFileException,
"XML entity declarations are not supported"):
plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
class TestBinaryPlistlib(unittest.TestCase):

View File

@ -0,0 +1,3 @@
The :mod:`plistlib` module no longer accepts entity declarations in XML
plist files to avoid XML vulnerabilities. This should not affect users as
entity declarations are not used in regular plist files.