gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection (GH...

author Sanyam Kumat <124618873+sanyamk23@users.noreply.github.com>

Sat, 6 Jun 2026 21:38:15 +0000 (03:08 +0530)

committer GitHub <noreply@github.com>

Sat, 6 Jun 2026 21:38:15 +0000 (21:38 +0000)
author Sanyam Kumat <124618873+sanyamk23@users.noreply.github.com>
Sat, 6 Jun 2026 21:38:15 +0000 (03:08 +0530)
committer GitHub <noreply@github.com>
Sat, 6 Jun 2026 21:38:15 +0000 (21:38 +0000)
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py

index 2803c6d45c27bfaa9e7a0aece54d7fc962a2a9bd..ee0e24f6e86ae3347addf28008848a7559ee2ce8 100644 (file)
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -208,6 +208,17 @@ class XMLRPCTestCase(unittest.TestCase):
          self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
          self.assertEqual(xmlrpclib.loads(strg)[1], methodname)
  
+    def test_dump_escape_methodname(self):
+        payload = 'foo</methodName><injected attr="evil"/><methodName>bar'
+        s = xmlrpclib.dumps((), methodname=payload)
+        self.assertIn(
+            '<methodName>foo&lt;/methodName&gt;&lt;injected attr="evil"/&gt;'
+            '&lt;methodName&gt;bar</methodName>', s
+        )
+        self.assertNotIn('<injected attr="evil"/>', s)
+        load, m = xmlrpclib.loads(s)
+        self.assertEqual(m, payload)
+
      def test_dump_bytes(self):
          sample = b"my dog has fleas"
          self.assertEqual(sample, xmlrpclib.Binary(sample))
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py

index f441376d09c4aa2ea88aef83fcd14ecc9e8db82f..84e4e4d11a7319eb427620dd06a5289beef6f9f9 100644 (file)
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,
          data = (
              xmlheader,
              "<methodCall>\n"
-            "<methodName>", methodname, "</methodName>\n",
+            "<methodName>", escape(methodname), "</methodName>\n",
              data,
              "</methodCall>\n"
              )
diff --git a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst

new file mode 100644 (file)

index 0000000..6245af7
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@@ -0,0 +1 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.
author	Sanyam Kumat <124618873+sanyamk23@users.noreply.github.com>
	Sat, 6 Jun 2026 21:38:15 +0000 (03:08 +0530)
committer	GitHub <noreply@github.com>
	Sat, 6 Jun 2026 21:38:15 +0000 (21:38 +0000)
Lib/test/test_xmlrpc.py		patch \| blob \| blame \| history
Lib/xmlrpc/client.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst	[new file with mode: 0644]	patch \| blob