git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Sebastian Pipping <sebastian@pipping.org>
	Wed, 17 Dec 2025 14:58:59 +0000 (15:58 +0100)
committer	GitHub <noreply@github.com>
	Wed, 17 Dec 2025 14:58:59 +0000 (15:58 +0100)
commit	0e4cd897811651d896c5be9beec803b506131c7c
tree	7bbae7a77fb3e898577446ab7d678cdcd0a9efac	tree \| snapshot
parent	d849cf5fec76947865370a41baba8934c581cdb2	commit \| diff

[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139527)

* [3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.

(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

Doc/library/pyexpat.rst		diff \| blob \| blame \| history
Include/pyexpat.h		diff \| blob \| blame \| history
Lib/test/test_pyexpat.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst	[new file with mode: 0644]	blob
Modules/clinic/pyexpat.c.h		diff \| blob \| blame \| history
Modules/expat/pyexpatns.h		diff \| blob \| blame \| history
Modules/pyexpat.c		diff \| blob \| blame \| history