File: CVE-2022-48565.diff

package info (click to toggle)
python2.7 2.7.18-8%2Bdeb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 78,736 kB
  • sloc: python: 470,452; ansic: 443,657; sh: 17,616; asm: 14,304; makefile: 4,914; objc: 761; exp: 499; javascript: 314; cpp: 128; xml: 76
file content (90 lines) | stat: -rw-r--r-- 3,155 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
From 05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 Mon Sep 17 00:00:00 2001
From: Ronald Oussoren <ronaldoussoren@mac.com>
Date: Mon, 19 Oct 2020 20:13:49 +0200
Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files
 (#22760)

---
 Lib/plistlib.py                                |  7 +++++++
 Lib/test/test_plistlib.py                      | 18 ++++++++++++++++++
 .../2020-10-19-10-56-27.bpo-42051.EU_B7u.rst   |  3 +++
 3 files changed, 28 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst

Backport:
 * Drop Misc/NEWS.d
 * plistlib.py:
   * Handle cAmElCaSe vs under_scores
   * self.parser vs parser
   * Degrade InvalidFileException to ValueError
 * test_plistlib.py:
   * Update hunk context
   * Drop b"" prefix
   * Degrade InvalidFileException to ValueError
   * Adapt parser invocation to older API
   * Reimplement assertRaisesRegexp

diff --git a/Lib/plistlib.py b/Lib/plistlib.py
index aff5fe36ca..ba7ac19364 100644
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -173,9 +173,16 @@ def parse(self, fileobj):
         parser.StartElementHandler = self.handleBeginElement
         parser.EndElementHandler = self.handleEndElement
         parser.CharacterDataHandler = self.handleData
+        parser.EntityDeclHandler = self.handleEntityDecl
         parser.ParseFile(fileobj)
         return self.root
 
+    def handleEntityDecl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+        # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+        # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+        # accept them either.
+        raise ValueError("XML entity declarations are not supported in plist files")
+
     def handleBeginElement(self, element, attrs):
         self.data = []
         handler = getattr(self, "begin_" + element, None)
diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
index e5c9b5b6b2..cb071da1f3 100644
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -106,6 +106,19 @@
 </plist>
 """.replace(" " * 8, "\t")  # Apple as well as plistlib.py output hard tabs
 
+XML_PLIST_WITH_ENTITY='''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+   <!ENTITY entity "replacement text">
+  ]>
+<plist version="1.0">
+  <dict>
+    <key>A</key>
+    <string>&entity;</string>
+  </dict>
+</plist>
+'''
+
 
 class TestPlistlib(unittest.TestCase):
 
@@ -524,6 +537,15 @@ def test_modified_uid_huge(self):
         self.assertEqual(test1, result1)
         self.assertEqual(test2, result2)
 
+    def test_xml_plist_with_entity_decl(self):
+        try:
+            plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
+        except ValueError as e:
+            self.assertIn("XML entity declarations are not supported",
+                          e.message)
+        else:
+            self.fail("expected ValueError to be raised")
+
 
 def test_main():
     test_support.run_unittest(TestPlistlib)
-- 
2.40.1