Message 378863 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ronaldoussoren
Recipients	christian.heimes, ronaldoussoren, serhiy.storchaka, vstinner
Date	2020-10-18.14:24:00
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1603031040.85.0.133074217254.issue42051@roundup.psfhosted.org>
In-reply-to

Content
One option is to copy what defusedxml does to forbid a number of unsafe operations, see https://github.com/tiran/defusedxml/blob/eb38a2d710b67df48614cb5098ddb8472289ce6d/defusedxml/ElementTree.py#L68 Defusedxml uses an XMLParser subclass that optionally disables some features (such as entity definitions), for plistlib those features can be disabled unconditionally. I haven't thought much about the exceptions to use, probably a similar exception as is used for invalid plist files. Another thing I haven't really thought about: would such a change be 3.10 only or is this something we could backport? The following plist file currently works with plistlib, but does not work with plutil(1) on macOS 10.15 (parse error in the DTD definition). That indicates that entity definitions aren't supposed to be used in plist files and it would be safe to disable this feature in plistlib. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [ <!ENTITY entity "replacement text"> ]> <plist version="1.0"> <dict> <key>A</key> <string>&entity;</string> </dict> </plist>

One option is to copy what defusedxml does to forbid a number of unsafe operations, see https://github.com/tiran/defusedxml/blob/eb38a2d710b67df48614cb5098ddb8472289ce6d/defusedxml/ElementTree.py#L68

Defusedxml uses an XMLParser subclass that optionally disables some features (such as entity definitions), for plistlib those features can be disabled unconditionally. 

I haven't thought much about the exceptions to use, probably a similar exception as is used for invalid plist files. 

Another thing I haven't really thought about: would such a change be 3.10 only or is this something we could backport?  

The following plist file currently works with plistlib, but does not work with plutil(1) on macOS 10.15 (parse error in the DTD definition).  That indicates that entity definitions aren't supposed to be used in plist files and it would be safe to disable this feature in plistlib.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
   <!ENTITY entity "replacement text">
  ]>
<plist version="1.0">
  <dict>
    <key>A</key>
    <string>&entity;</string>
  </dict>
</plist>

History
Date	User	Action	Args
2020-10-18 14:24:00	ronaldoussoren	set	recipients: + ronaldoussoren, vstinner, christian.heimes, serhiy.storchaka
2020-10-18 14:24:00	ronaldoussoren	set	messageid: <1603031040.85.0.133074217254.issue42051@roundup.psfhosted.org>
2020-10-18 14:24:00	ronaldoussoren	link	issue42051 messages
2020-10-18 14:24:00	ronaldoussoren	create