plistlib creates a new objects when read references instead of usingalready read object.As result it doesn't preserve identity:>>> import plistlib>>> a = [['spam']]*2>>> a[0] is a[1]True>>> b = plistlib.loads(plistlib.dumps(a, fmt=plistlib.FMT_BINARY))>>> b == aTrue>>> b[0] is b[1]FalseAnd plistlib.loads() is vulnerable to plists containing cyclicreferences (as was exposed inissue31897). For example,plistlib.loads(b'bplist00\xa1\x00\x08\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a')could return a list containing itself, but it is failed withRecursionError.plistlib.dumps() preserves reference in the output, but it savesredundant copies. For example plistlib.dumps([[]]*5,fmt=plistlib.FMT_BINARY) saves a list containing 5 identical emptylists, but it saves an empty list 5 times, and only the last copy isused. The other 4 copies are not referenced and just spent the filevolume and the space of reference numbers. Saving[[[[['spam']*100]*100]*100]*100]*100 will result in a multigigabyte,while less than a kilobyte would be enough for saving it. Loadingproperly saved [[[[['spam']*100]*100]*100]*100]*100 withe the currentplistlib.loads() will cause consuming many gigabytes of memory.1. The issues with plistlib.dumps() are:1a) Inefficient saving data with references. This is minor resource usage issue.1b) Impossibility to save a data with cyclic references. This is alack of a feature.2. The issues with plistlib.loads() are:2a) Inefficient loading data with references. This can be not just aresource usage issue, but a security issue. Loading an malicious inputdata smaller than 100 byte ([[[...]*2]*2]*2) can cause consuming manygigabytes of memory.2b) Impossibility to load a data with cyclic references. This is alack of a feature, but can be lesser security issue. Small maliciousinput can cause RecursionError. If the recursion limit is set high andyou are unlucky it can cause a stack overflow.Security issues affect you only when you load plists from untrusted sources.Adding the proper support of references could be considered a newfeature, but taking to account security issues it should be backportedup to 3.4 when the support of binary plists was added.

Ronald, could you please make a review? I want to merge this before 3.7.0a3.

New changeseta897aeeef647259a938a36cb5eb6680c86021c6a by Serhiy Storchaka in branch 'master':bpo-32072: Fix issues with binary plists. (#4455)https://github.com/python/cpython/commit/a897aeeef647259a938a36cb5eb6680c86021c6a

New changeset8cd31082fba88cf0064590fd3d55b6c1c964f11c by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':bpo-32072: Fix issues with binary plists. (GH-4455) (#4654)https://github.com/python/cpython/commit/8cd31082fba88cf0064590fd3d55b6c1c964f11c

For example:a = []for i in range(22):    a = [a, a]b = plistlib.dumps(a, fmt=plistlib.FMT_BINARY)The result is 130 bytes long on patched plistlib. But plistlib.dumps(b) will expand to a structure consuming almost a gigabyte of memory on unpatched plistlib. Increasing the level of nesting by one will duplicate memory consumption, so it is easy to consume all available memory on any computer.

New changesetc59731d92dc73111d224876f1caa064097aad786 by larryhastings (Serhiy Storchaka) in branch '3.4':[3.4]bpo-32072: Fix issues with binary plists. (GH-4455) (#4658)https://github.com/python/cpython/commit/c59731d92dc73111d224876f1caa064097aad786

New changeset43f014d3f12468edf61046f0612edc7660042fd5 by larryhastings (Serhiy Storchaka) in branch '3.5':[3.5]bpo-32072: Fix issues with binary plists. (GH-4455) (#4656)https://github.com/python/cpython/commit/43f014d3f12468edf61046f0612edc7660042fd5

Thanks Larry.

Thank you for the fix!  I just wish I knew what plists were ;-)

@larry: plists are Apple's equivalent to Windows INI files ;-)