diff --git a/Lib/plistlib.py b/Lib/plistlib.py
index a91864372554bf..6e030f25b21f09 100644
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -322,9 +322,16 @@ def parse(self, fileobj):
self.parser.StartElementHandler = self.handle_begin_element
self.parser.EndElementHandler = self.handle_end_element
self.parser.CharacterDataHandler = self.handle_data
+ self.parser.EntityDeclHandler = self.handle_entity_decl
self.parser.ParseFile(fileobj)
return self.root
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+ # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+ # accept them either.
+ raise InvalidFileException("XML entity declarations are not supported in plist files")
+
def handle_begin_element(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
index d47c607329cd51..abb1b81e6b0574 100644
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -90,6 +90,19 @@
xQHHAsQC0gAAAAAAAAIBAAAAAAAAADkAAAAAAAAAAAAAAAAAAALs'''),
}
+XML_PLIST_WITH_ENTITY=b'''\
+
+
+ ]>
+
+
+ A
+ &entity;
+
+
+'''
+
class TestPlistlib(unittest.TestCase):
@@ -444,6 +457,11 @@ def test_xml_encodings(self):
pl2 = plistlib.loads(data)
self.assertEqual(dict(pl), dict(pl2))
+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegex(plistlib.InvalidFileException,
+ "XML entity declarations are not supported"):
+ plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
+
class TestBinaryPlistlib(unittest.TestCase):
diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
new file mode 100644
index 00000000000000..e865ed12a03878
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy