Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

UAF:xml.etree.ElementTree.Element.find* when concurrent mutations happen #126037

Closed
Assignees
picnixz
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump
@picnixz

Description

@picnixz

Crash report

What happened?

Similar to#126033, the following crashes:

importxml.etree.ElementTreeasETclassEvilTag(str):def__eq__(self,other):base.clear()returnFalsebase=ET.Element('a')base.append(ET.Element(EvilTag('x')))base.find('a')

Attacked code:

for (i=0;i<self->extra->length;i++) {
PyObject*item=self->extra->children[i];
intrc;
assert(Element_Check(st,item));
Py_INCREF(item);
rc=PyObject_RichCompareBool(((ElementObject*)item)->tag,path,Py_EQ);
if (rc>0)
returnitem;
Py_DECREF(item);
if (rc<0)
returnNULL;
}

Thefindall andfindtext methods also suffer from the same vulnerability. I haven't tried to attackElement.iterfind yet since it delegates to the Python functionElementPath.iterfind instead.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2025 Movatter.jp