Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.8] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #116275

Merged
merged 3 commits into from
Mar 6, 2024

Conversation

hartwork
Copy link
Contributor

@hartwork hartwork commented Mar 3, 2024

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

  • xml.etree.ElementTree.XMLParser.flush
  • xml.etree.ElementTree.XMLPullParser.flush
  • xml.parsers.expat.xmlparser.GetReparseDeferralEnabled
  • xml.parsers.expat.xmlparser.SetReparseDeferralEnabled
  • xml.sax.expatreader.ExpatParser.flush

Based on the "flush" idea from #115138 (comment) .

Includes code suggested-by: Snild Dolkow [email protected]
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)

…52425) (pythonGH-115623)

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`

Based on the "flush" idea from python#115138 (comment) .

- Please treat as a security fix related to CVE-2023-52425.

Includes code suggested-by: Snild Dolkow <[email protected]>
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)
hartwork and others added 2 commits March 6, 2024 22:24
…t API availability (pythonGH-116278)

Suggest use of "hasattr" with checking for 3.13 Expat API availability

(cherry picked from commit 73807eb)
(cherry picked from commit eda2963)
Calling ``SetReparseDeferralEnabled(True)`` allows re-enabling reparse
deferral.

Note that :meth:`SetReparseDeferralEnabled` has been backported to some
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider eliding this first sentence within the 3.8 back port docs as it won't be backported further. The overall "check for availability" advice is valid regardless though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gpshead I'm unsure of better wording, it's not wrong technically and I see some value in having all branches agree on this text — my vote for keeping as is. If it's dear to you, I can change it. In that case please help me find better wording for 3.8.

@gpshead
Copy link
Member

gpshead commented Mar 6, 2024

@ambv - 3.12 and 3.11 branch backports have been merged.

@ambv ambv merged commit 854f645 into python:3.8 Mar 6, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants