self.parser.StartElementHandler = self.handle_begin_element
self.parser.EndElementHandler = self.handle_end_element
self.parser.CharacterDataHandler = self.handle_data
+ self.parser.EntityDeclHandler = self.handle_entity_decl
self.parser.ParseFile(fileobj)
return self.root
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+ # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+ # accept them either.
+ raise InvalidFileException("XML entity declarations are not supported in plist files")
+
def handle_begin_element(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
AAABOQ=='''),
}
+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+ <!ENTITY entity "replacement text">
+ ]>
+<plist version="1.0">
+ <dict>
+ <key>A</key>
+ <string>&entity;</string>
+ </dict>
+</plist>
+'''
+
class TestPlistlib(unittest.TestCase):
with self.assertRaises(OverflowError):
plistlib.dumps(huge_uid, fmt=plistlib.FMT_BINARY)
+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegex(plistlib.InvalidFileException,
+ "XML entity declarations are not supported"):
+ plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
+
class TestBinaryPlistlib(unittest.TestCase):
--- /dev/null
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.
projects / thirdparty / Python / cpython.git / commitdiff
