git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Sebastian Pipping <sebastian@pipping.org>
	Sun, 2 Nov 2025 12:39:11 +0000 (13:39 +0100)
committer	GitHub <noreply@github.com>
	Sun, 2 Nov 2025 12:39:11 +0000 (12:39 +0000)
commit	bc36bd1786b8921546b70d745aef3912af588bbb
tree	5aeca607b7ceccfe9d17673b13a45fb948393a73	tree \| snapshot
parent	6ba31ca5d513614a90e77a11619385434d75d625	commit \| diff

[3.13] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139367)

* gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (#139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.

(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)

Doc/library/pyexpat.rst		diff \| blob \| blame \| history
Include/pyexpat.h		diff \| blob \| blame \| history
Lib/test/test_pyexpat.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst	[new file with mode: 0644]	blob
Modules/clinic/pyexpat.c.h		diff \| blob \| blame \| history
Modules/expat/pyexpatns.h		diff \| blob \| blame \| history
Modules/pyexpat.c		diff \| blob \| blame \| history