Skip to content

[3.12] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #116248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 6, 2024
Merged

[3.12] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #116248

merged 4 commits into from
Mar 6, 2024

Conversation

hartwork
Copy link
Contributor

@hartwork hartwork commented Mar 2, 2024
edited by github-actions bot
Loading

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

  • xml.etree.ElementTree.XMLParser.flush
  • xml.etree.ElementTree.XMLPullParser.flush
  • xml.parsers.expat.xmlparser.GetReparseDeferralEnabled
  • xml.parsers.expat.xmlparser.SetReparseDeferralEnabled
  • xml.sax.expatreader.ExpatParser.flush

Based on the "flush" idea from #115138 (comment) .

Includes code suggested-by: Snild Dolkow [email protected]
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)

📚 Documentation preview 📚: https://cpython-previews--116248.org.readthedocs.build/

@hartwork
pythongh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-…
ac019e3 
…52425) (pythonGH-115623)

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`

Based on the "flush" idea from python#115138 (comment) .

- Please treat as a security fix related to CVE-2023-52425.

Includes code suggested-by: Snild Dolkow <[email protected]>
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)
@hartwork hartwork requested a review from sethmlarson as a code owner March 2, 2024 19:21
@bedevere-app bedevere-app bot mentioned this pull request Mar 2, 2024
Merged
@bedevere-app bedevere-app bot added type-feature A feature request or enhancement type-security A security issue labels Mar 2, 2024
@bedevere-app bedevere-app bot mentioned this pull request Mar 2, 2024
Closed
serhiy-storchaka
serhiy-storchaka reviewed Mar 3, 2024
View reviewed changes
@hartwork
Adjust versionadded:: to be about 3.12.3, only
66d991b 
As suggested by Serhiy Storchaka
gpshead
gpshead reviewed Mar 4, 2024
View reviewed changes
hartwork and others added 2 commits March 6, 2024 22:12
@hartwork
pythongh-115398: Suggest use of hasattr with checking for 3.13 Expa…
5573d60 
…t API availability (pythonGH-116278)

Suggest use of "hasattr" with checking for 3.13 Expat API availability

(cherry picked from commit 73807eb)
@gpshead @hartwork
RESTify news API list.
cafaa33 
(cherry picked from commit eda2963)
@hartwork hartwork force-pushed the backport-6a95676-3.12 branch from a5a8f3c to cafaa33 Compare March 6, 2024 21:26
@gpshead gpshead enabled auto-merge (squash) March 6, 2024 21:41
@gpshead gpshead merged commit 0a01ed6 into python:3.12 Mar 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead left review comments

@sethmlarson sethmlarson Awaiting requested review from sethmlarson sethmlarson is a code owner

@serhiy-storchaka serhiy-storchaka Awaiting requested review from serhiy-storchaka

Assignees
No one assigned
Labels
type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hartwork @gpshead @serhiy-storchaka