99 lines
3.8 KiB
Diff
99 lines
3.8 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Ned Deily <nad@python.org>
|
||
|
Date: Fri, 6 Oct 2023 12:23:43 +0200
|
||
|
Subject: [PATCH] 00406-cve-2022-48565.patch
|
||
|
|
||
|
Reject XML entity declarations in plist files
|
||
|
CVE-2022-48565: XML External Entity in XML processing plistlib module
|
||
|
Backported from https://github.com/python/cpython/commit/a158fb9c5138
|
||
|
Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-48565
|
||
|
|
||
|
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
|
||
|
Co-authored-by: Lumir Balhar <lbalhar@redhat.com>
|
||
|
---
|
||
|
Lib/plistlib.py | 12 ++++++++++++
|
||
|
Lib/test/test_plistlib.py | 18 ++++++++++++++++++
|
||
|
.../2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 +++
|
||
|
3 files changed, 33 insertions(+)
|
||
|
create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
|
||
|
|
||
|
diff --git a/Lib/plistlib.py b/Lib/plistlib.py
|
||
|
index 42897b8da8b..73fca1d4714 100644
|
||
|
--- a/Lib/plistlib.py
|
||
|
+++ b/Lib/plistlib.py
|
||
|
@@ -390,6 +390,11 @@ class Data:
|
||
|
return "%s(%s)" % (self.__class__.__name__, repr(self.data))
|
||
|
|
||
|
|
||
|
+class InvalidFileException (ValueError):
|
||
|
+ def __init__(self, message="Invalid file"):
|
||
|
+ ValueError.__init__(self, message)
|
||
|
+
|
||
|
+
|
||
|
class PlistParser:
|
||
|
|
||
|
def __init__(self):
|
||
|
@@ -403,9 +408,16 @@ class PlistParser:
|
||
|
parser.StartElementHandler = self.handleBeginElement
|
||
|
parser.EndElementHandler = self.handleEndElement
|
||
|
parser.CharacterDataHandler = self.handleData
|
||
|
+ parser.EntityDeclHandler = self.handle_entity_decl
|
||
|
parser.ParseFile(fileobj)
|
||
|
return self.root
|
||
|
|
||
|
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
|
||
|
+ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
|
||
|
+ # Regular plist files don't contain those declerations, and Apple's plutil tool does not
|
||
|
+ # accept them either.
|
||
|
+ raise InvalidFileException("XML entity declarations are not supported in plist files")
|
||
|
+
|
||
|
def handleBeginElement(self, element, attrs):
|
||
|
self.data = []
|
||
|
handler = getattr(self, "begin_" + element, None)
|
||
|
diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
|
||
|
index 7859ad05723..bcdae924d91 100644
|
||
|
--- a/Lib/test/test_plistlib.py
|
||
|
+++ b/Lib/test/test_plistlib.py
|
||
|
@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encoding="UTF-8"?>
|
||
|
</plist>
|
||
|
""".replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs
|
||
|
|
||
|
+XML_PLIST_WITH_ENTITY=b'''\
|
||
|
+<?xml version="1.0" encoding="UTF-8"?>
|
||
|
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
|
||
|
+ <!ENTITY entity "replacement text">
|
||
|
+ ]>
|
||
|
+<plist version="1.0">
|
||
|
+ <dict>
|
||
|
+ <key>A</key>
|
||
|
+ <string>&entity;</string>
|
||
|
+ </dict>
|
||
|
+</plist>
|
||
|
+'''
|
||
|
+
|
||
|
|
||
|
class TestPlistlib(unittest.TestCase):
|
||
|
|
||
|
@@ -195,6 +208,11 @@ class TestPlistlib(unittest.TestCase):
|
||
|
self.assertEqual(test1, result1)
|
||
|
self.assertEqual(test2, result2)
|
||
|
|
||
|
+ def test_xml_plist_with_entity_decl(self):
|
||
|
+ with self.assertRaisesRegexp(plistlib.InvalidFileException,
|
||
|
+ "XML entity declarations are not supported"):
|
||
|
+ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
|
||
|
+
|
||
|
|
||
|
def test_main():
|
||
|
test_support.run_unittest(TestPlistlib)
|
||
|
diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
|
||
|
new file mode 100644
|
||
|
index 00000000000..31b44b229f6
|
||
|
--- /dev/null
|
||
|
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
|
||
|
@@ -0,0 +1,3 @@
|
||
|
+The :mod:`plistlib` module no longer accepts entity declarations in XML
|
||
|
+plist files to avoid XML vulnerabilities. This should not affect users as
|
||
|
+entity declarations are not used in regular plist files.
|
||
|
\ No newline at end of file
|