git.ipfire.org Git - thirdparty/Python/cpython.git/commit

[3.14] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139359)

* [3.14] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.

(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)

author	Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
	Sun, 2 Nov 2025 09:33:36 +0000 (10:33 +0100)
committer	GitHub <noreply@github.com>
	Sun, 2 Nov 2025 09:33:36 +0000 (09:33 +0000)
commit	bf2865f80f50d0a9a4ea7082ced6087fa76b6f7c
tree	4c04632f8580ebeb2477d17095846ba7e54edf6b	tree \| snapshot
parent	4d7fab9b15f9ce9239af809064fe5ce70faab433	commit \| diff

Doc/library/pyexpat.rst		diff \| blob \| blame \| history
Include/pyexpat.h		diff \| blob \| blame \| history
Lib/test/test_pyexpat.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst	[new file with mode: 0644]	blob
Modules/clinic/pyexpat.c.h		diff \| blob \| blame \| history
Modules/expat/pyexpatns.h		diff \| blob \| blame \| history
Modules/pyexpat.c		diff \| blob \| blame \| history