Message 302101 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	scoder
Recipients	scoder
Date	2017-09-13.17:28:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1505323719.65.0.33849698499.issue31455@psf.upfronthosting.co.za>
In-reply-to

Content
The "XMLParser.__init__()" method in "_elementtree.c" contains this code: self->handle_start = PyObject_GetAttrString(target, "start"); self->handle_data = PyObject_GetAttrString(target, "data"); self->handle_end = PyObject_GetAttrString(target, "end"); self->handle_comment = PyObject_GetAttrString(target, "comment"); self->handle_pi = PyObject_GetAttrString(target, "pi"); self->handle_close = PyObject_GetAttrString(target, "close"); self->handle_doctype = PyObject_GetAttrString(target, "doctype"); PyErr_Clear(); This ignores all exceptions, not only AttributeError. It also passes live exceptions into the later lookup calls, which may execute arbitrary user code.

The "XMLParser.__init__()" method in "_elementtree.c" contains this code:

    self->handle_start = PyObject_GetAttrString(target, "start");
    self->handle_data = PyObject_GetAttrString(target, "data");
    self->handle_end = PyObject_GetAttrString(target, "end");
    self->handle_comment = PyObject_GetAttrString(target, "comment");
    self->handle_pi = PyObject_GetAttrString(target, "pi");
    self->handle_close = PyObject_GetAttrString(target, "close");
    self->handle_doctype = PyObject_GetAttrString(target, "doctype");
    PyErr_Clear();

This ignores all exceptions, not only AttributeError.
It also passes live exceptions into the later lookup calls, which may execute arbitrary user code.

History
Date	User	Action	Args
2017-09-13 17:28:39	scoder	set	recipients: + scoder
2017-09-13 17:28:39	scoder	set	messageid: <1505323719.65.0.33849698499.issue31455@psf.upfronthosting.co.za>
2017-09-13 17:28:39	scoder	link	issue31455 messages
2017-09-13 17:28:39	scoder	create