This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ronaldoussoren
Recipients christian.heimes, ronaldoussoren, serhiy.storchaka, vstinner
Date 2020-10-18.14:24:00
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
One option is to copy what defusedxml does to forbid a number of unsafe operations, see

Defusedxml uses an XMLParser subclass that optionally disables some features (such as entity definitions), for plistlib those features can be disabled unconditionally. 

I haven't thought much about the exceptions to use, probably a similar exception as is used for invalid plist files. 

Another thing I haven't really thought about: would such a change be 3.10 only or is this something we could backport?  

The following plist file currently works with plistlib, but does not work with plutil(1) on macOS 10.15 (parse error in the DTD definition).  That indicates that entity definitions aren't supposed to be used in plist files and it would be safe to disable this feature in plistlib.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "" [
   <!ENTITY entity "replacement text">
<plist version="1.0">
Date User Action Args
2020-10-18 14:24:00ronaldoussorensetrecipients: + ronaldoussoren, vstinner, christian.heimes, serhiy.storchaka
2020-10-18 14:24:00ronaldoussorensetmessageid: <>
2020-10-18 14:24:00ronaldoussorenlinkissue42051 messages
2020-10-18 14:24:00ronaldoussorencreate