Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs) #90950
Comments
hartwork
mannequin
added
3.7 (EOL)
|
BTW there are test regressions with expat 2.4.5, apparently due to some test snippets now being rejected as invalid XML: ====================================================================== Traceback (most recent call last):
File "/home/mgorny/git/cpython/Lib/xml/etree/ElementTree.py", line 1718, in feed
self.parser.Parse(data, False)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.parsers.expat.ExpatError: syntax error: line 1, column 0
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/mgorny/git/cpython/Lib/test/test_xml_etree.py", line 2196, in test_issue3151
e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/etree/ElementTree.py", line 1347, in XML
parser.feed(text)
^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/etree/ElementTree.py", line 1720, in feed
self._raiseerror(v)
^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/etree/ElementTree.py", line 1627, in _raiseerror
raise err
^^^^^^^^^
xml.etree.ElementTree.ParseError: syntax error: line 1, column 0====================================================================== Traceback (most recent call last):
File "/home/mgorny/git/cpython/Lib/test/test_minidom.py", line 1150, in testEncodings
self.assertRaises(UnicodeDecodeError, parseString,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/unittest/case.py", line 734, in assertRaises
return context.handle('assertRaises', args, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/unittest/case.py", line 218, in handle
callable_obj(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/minidom.py", line 1998, in parseString
return expatbuilder.parseString(string)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/expatbuilder.py", line 925, in parseString
return builder.parseString(string)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/expatbuilder.py", line 223, in parseString
parser.Parse(string, True)
^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 1, column 5====================================================================== Traceback (most recent call last):
File "/home/mgorny/git/cpython/Lib/test/test_minidom.py", line 1613, in testExceptionOnSpacesInXMLNSValue
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/minidom.py", line 1998, in parseString
return expatbuilder.parseString(string)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/expatbuilder.py", line 925, in parseString
return builder.parseString(string)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mgorny/git/cpython/Lib/xml/dom/expatbuilder.py", line 223, in parseString
parser.Parse(string, True)
^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.parsers.expat.ExpatError: syntax error: line 1, column 0 |
|
Hi Michal, TL;DR would be:
I will demo a fix to 2 of the 3 test fails below: # git diff -U1 | cat
diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
index 1663b1f114..38cea97a97 100644
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -12,2 +12,3 @@
from xml.dom.minidom import getDOMImplementation
+from xml.parsers.expat import ExpatError
@@ -1149,4 +1150,6 @@ def testEncodings(self):
# of crashing
- self.assertRaises(UnicodeDecodeError, parseString,
- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
+ self.assertRaises(ExpatError, parseString,
+ b'<fran\xe7ais></fran\xe7ais>')
+ self.assertRaises(ExpatError, parseString,
+ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
@@ -1611,3 +1614,3 @@ def testEmptyXMLNSValue(self):
def testExceptionOnSpacesInXMLNSValue(self):
- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
+ with self.assertRaisesRegex(ExpatError, "syntax error"):
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
For the third test, the key is that the closing curly brace is used as the self->parser = EXPAT(ParserCreate_MM)(encoding, &ExpatMemoryHandler, "}"); …in file Modules/_elementtree.c (which is okay but part of the test fail). Best Sebastian |
hartwork
mannequin
changed the title
hartwork
mannequin
changed the title
|
Could you make a PR to fix the test failures? I suppose that could speed things up and if not, I'd at least have something to pull into Gentoo. |
|
I'm busy with the release upstream at the moment. I'll see what I can do. |
|
I have created a dedicated ticket bpo-46811 now, test suite pull request upcoming. |
|
On PyPy, the test |
|
Hi mattip, at the core the problem is not the use of non-URI character "}" for a namespace separator but the use of non-URI character "}" in a namespace URI. test_issue3151 is mistaken (meaning that non-URI characters in URIs are malformed XML) and the test has been removed in CPython pull request https://github.com/python/cpython/pull/31453/files . Expat pull request libexpat/libexpat#577 is related but it's about URI characters not about non-URI ones, so it does not change anything about test_issue3151 in PyPy. Does that make sense? Best, Sebastian |
Thanks, I missed that. Makes sense. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: