Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-42051: Reject XML entity declarations in plist files #22760

Merged
merged 1 commit into from Oct 19, 2020
Merged

bpo-42051: Reject XML entity declarations in plist files #22760

merged 1 commit into from Oct 19, 2020

Conversation

ronaldoussoren
Copy link
Contributor

@ronaldoussoren ronaldoussoren commented Oct 19, 2020
edited by bedevere-bot

plistlib uses ElementTree to parse XML files, and therefore is subject to a number of XML vulnerabilities. Those can be avoided by rejecting entity declarations in XML plist files.

Doing this is safe because Apple tools like plutil(1) also reject XML files with entity declarations.

https://bugs.python.org/issue42051

@ronaldoussoren ronaldoussoren self-assigned this Oct 19, 2020
@ronaldoussoren ronaldoussoren requested review from vstinner and 1st1 Oct 19, 2020
tiran
tiran approved these changes Oct 19, 2020
View changes
Copy link
Member

@tiran tiran left a comment

Thanks, that's a simple and great solution for the issue. LGTM

@ronaldoussoren ronaldoussoren merged commit 05ee790 into python:master Oct 19, 2020
10 checks passed
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Oct 19, 2020

@ronaldoussoren: Please replace # with GH- in the commit message next time. Thanks!

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9.
🐍🍒🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 19, 2020
@ronaldoussoren @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
c7a5e2d 
)

(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Oct 19, 2020

GH-22771 is a backport of this pull request to the 3.9 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 19, 2020
@ronaldoussoren @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
893e001 
)

(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Oct 19, 2020

GH-22772 is a backport of this pull request to the 3.8 branch.

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6.
🐍🍒🤖

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒🤖

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Sorry, @ronaldoussoren, I could not cleanly backport this to 3.6 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.6

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Sorry @ronaldoussoren, I had trouble checking out the 3.7 backport branch.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.7

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Thanks @ronaldoussoren for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒🤖

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 19, 2020

Sorry, @ronaldoussoren, I could not cleanly backport this to 3.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 3.7

@ned-deily
Copy link
Member

@ned-deily ned-deily commented Oct 19, 2020

I'm looking at the conflicts.

ned-deily pushed a commit to ned-deily/cpython that referenced this issue Oct 20, 2020
@ronaldoussoren @ned-deily
bpo-42051: Reject XML entity declarations in plist files (python#22760)
1f6b2bc
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Oct 20, 2020

GH-22801 is a backport of this pull request to the 3.7 branch.

miss-islington added a commit that referenced this issue Oct 20, 2020
@miss-islington @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (GH-22760)
479553c 
(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
miss-islington added a commit that referenced this issue Oct 20, 2020
@miss-islington @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (GH-22760)
65894ca 
(cherry picked from commit 05ee790)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
ned-deily added a commit that referenced this issue Oct 20, 2020
@ned-deily @ronaldoussoren
bpo-42051: Reject XML entity declarations in plist files (#22760) (GH…
e512bc7 
…-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 20, 2020
@ned-deily @miss-islington
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
4d8f9e2 
) (pythonGH-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>
@ned-deily ned-deily added the type-security label Oct 20, 2020
ned-deily added a commit that referenced this issue Oct 20, 2020
@miss-islington @ned-deily
bpo-42051: Reject XML entity declarations in plist files (GH-22760) (G…
a158fb9 
…H-22801) (GH-22804)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>
lisroach pushed a commit to lisroach/cpython that referenced this issue Oct 24, 2020
@ronaldoussoren @lisroach
bpo-42051: Reject XML entity declarations in plist files (python#22760)
47b08c5
gentoo-bot pushed a commit to gentoo/cpython that referenced this issue Dec 14, 2020
@miss-islington @mgorny
bpo-42051: Reject XML entity declarations in plist files (pythonGH-22760
dd9ccc8 
) (pythonGH-22801) (pythonGH-22804)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>

Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
adorilson pushed a commit to adorilson/cpython that referenced this issue Mar 13, 2021
@ronaldoussoren @adorilson
bpo-42051: Reject XML entity declarations in plist files (python#22760)
41d42d0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran

@serhiy-storchaka serhiy-storchaka

@vstinner vstinner

@1st1 1st1

Assignees

@ronaldoussoren ronaldoussoren

Labels
CLA signed type-security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@ronaldoussoren @bedevere-bot @miss-islington @ned-deily @tiran @serhiy-storchaka @the-knights-who-say-ni