Mailing List Archive

bpo-42051: Reject XML entity declarations in plist files (GH-22760)
https://github.com/python/cpython/commit/479553c7c11306a09ce34edb6ef208133b7b95fe
commit: 479553c7c11306a09ce34edb6ef208133b7b95fe
branch: 3.9
author: Miss Skeleton (bot) <31488909+miss-islington@users.noreply.github.com>
committer: GitHub <noreply@github.com>
date: 2020-10-19T19:34:37-07:00
summary:

bpo-42051: Reject XML entity declarations in plist files (GH-22760)

(cherry picked from commit 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>

files:
A Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
M Lib/plistlib.py
M Lib/test/test_plistlib.py

diff --git a/Lib/plistlib.py b/Lib/plistlib.py
index aff5fe36ca38b..ba7ac1936479f 100644
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -173,9 +173,16 @@ def parse(self, fileobj):
self.parser.StartElementHandler = self.handle_begin_element
self.parser.EndElementHandler = self.handle_end_element
self.parser.CharacterDataHandler = self.handle_data
+ self.parser.EntityDeclHandler = self.handle_entity_decl
self.parser.ParseFile(fileobj)
return self.root

+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+ # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+ # accept them either.
+ raise InvalidFileException("XML entity declarations are not supported in plist files")
+
def handle_begin_element(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
index e82a53c533df0..7cc6bad4235cc 100644
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -105,6 +105,19 @@
AAABOQ=='''),
}

+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+ <!ENTITY entity "replacement text">
+ ]>
+<plist version="1.0">
+ <dict>
+ <key>A</key>
+ <string>&entity;</string>
+ </dict>
+</plist>
+'''
+

class TestPlistlib(unittest.TestCase):

@@ -523,6 +536,11 @@ def test_modified_uid_huge(self):
with self.assertRaises(OverflowError):
plistlib.dumps(huge_uid, fmt=plistlib.FMT_BINARY)

+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegex(plistlib.InvalidFileException,
+ "XML entity declarations are not supported"):
+ plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
+

class TestBinaryPlistlib(unittest.TestCase):

diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
new file mode 100644
index 0000000000000..e865ed12a0387
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.

_______________________________________________
Python-checkins mailing list
Python-checkins@python.org
https://mail.python.org/mailman/listinfo/python-checkins
bpo-42051: Reject XML entity declarations in plist files (GH-22760) [ In reply to ]
https://github.com/python/cpython/commit/65894cac0835cb8f469f649e20aa1be8bf89f5ae
commit: 65894cac0835cb8f469f649e20aa1be8bf89f5ae
branch: 3.8
author: Miss Skeleton (bot) <31488909+miss-islington@users.noreply.github.com>
committer: GitHub <noreply@github.com>
date: 2020-10-19T19:35:23-07:00
summary:

bpo-42051: Reject XML entity declarations in plist files (GH-22760)

(cherry picked from commit 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>

files:
A Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
M Lib/plistlib.py
M Lib/test/test_plistlib.py

diff --git a/Lib/plistlib.py b/Lib/plistlib.py
index 04f8a87634d35..533ed1351f135 100644
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -285,9 +285,16 @@ def parse(self, fileobj):
self.parser.StartElementHandler = self.handle_begin_element
self.parser.EndElementHandler = self.handle_end_element
self.parser.CharacterDataHandler = self.handle_data
+ self.parser.EntityDeclHandler = self.handle_entity_decl
self.parser.ParseFile(fileobj)
return self.root

+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+ # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+ # accept them either.
+ raise InvalidFileException("XML entity declarations are not supported in plist files")
+
def handle_begin_element(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
index 0d887e210dde5..de1c848ae265f 100644
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -105,6 +105,19 @@
AAABOQ=='''),
}

+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+ <!ENTITY entity "replacement text">
+ ]>
+<plist version="1.0">
+ <dict>
+ <key>A</key>
+ <string>&entity;</string>
+ </dict>
+</plist>
+'''
+

class TestPlistlib(unittest.TestCase):

@@ -525,6 +538,11 @@ def test_modified_uid_huge(self):
with self.assertRaises(OverflowError):
plistlib.dumps(huge_uid, fmt=plistlib.FMT_BINARY)

+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegex(plistlib.InvalidFileException,
+ "XML entity declarations are not supported"):
+ plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
+

class TestBinaryPlistlib(unittest.TestCase):

diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
new file mode 100644
index 0000000000000..e865ed12a0387
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.

_______________________________________________
Python-checkins mailing list
Python-checkins@python.org
https://mail.python.org/mailman/listinfo/python-checkins