Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32.4k
gh-115133: test_xml_etree.py: Fix for Expat >=2.6.0 with reparse deferral (fixes #115133)#115138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Closed
hartwork wants to merge1 commit intopython:mainfromhartwork:issue-115133-fix-etree-xml-pull-parser-tests-for-expat-2-6-0
Closed
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
3c711d7 toa147a3eCompareIt rather defeats the purpose of the test. The purpose of the incremental parsing is that you can process the XML file without reading all data and building the full tree. This test tests that you get the parsed data as fast as the corresponding input data is available. The modified test only tests that it is available after feeding all input data and closing the parser. But you do not need the incremental parsing for this. |
I wonder how this affects stuff like XMPP where you actually need incremental parsing for things to work at all. |
Snild-Sony commentedFeb 7, 2024
I'm not sure how to guarantee that one gets the data "as fast as the input", but it should at least be possible to assert thatsome parsing happens before
Probably not well, at least in general. With XMPP specifically, you may get lucky and always send a whole packet for parsing at once (or just generally have small tokens), in which case there will be no incomplete tokens and therefore no need for reparse deferral. But it will be very implementation-dependent. For such a special usecase, this should work as a "flush" operation: |
hardfalcon commentedFeb 7, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
In case it's relevant to anyone: Python 3.11.8, built with the patch from this pull request against expat 2.6.0, and also using expat 2.6.0 after installing said Python package, is working just fine for me, both for running Gajim (an XMPP client written in Python) and for running a matrix-synapse server. |
13 tasks
Thank you for your PR, but it was fixed by#115164 which keeps some of more strict testing. |
gpshead pushed a commit that referenced this pull requestFeb 29, 2024
…GH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .### Notes- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 2, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
This was referencedMar 2, 2024
Merged
Merged
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 3, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 3, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 3, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 3, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
woodruffw pushed a commit to woodruffw-forks/cpython that referenced this pull requestMar 4, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.
gpshead added a commit that referenced this pull requestMar 6, 2024
…-52425) (GH-115623) (GH-116248)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.(cherry picked from commit6a95676)(cherry picked from commit73807eb)(cherry picked from commiteda2963)---------Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>
hartwork added a commit to hartwork/cpython that referenced this pull requestMar 6, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
github-actionsbot pushed a commit to m-aciek/python-docs-weblate that referenced this pull requestMar 6, 2024
…-52425) (GH-115623) (GH-116248)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython/cpython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.(cherry picked from commit 6a95676bb526261434dd068d6c49927c44d24a9b)(cherry picked from commit 73807eb634315f70a464a18feaae33d9e065de09)(cherry picked from commit eda2963378a3c292cf6bb202bb00e94e46ee6d90)---------Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>CPython-sync-commit-latest: 0a01ed6c2a116bd3e174fce33c21d84d650de569
gpshead added a commit that referenced this pull requestMar 6, 2024
…-52425) (GH-115623) (#116268)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.(cherry picked from commit 6a95676)(cherry picked from commit73807eb)(cherry picked from commiteda2963)---------Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestMar 6, 2024
…-52425) (GH-115623) (GH-116270)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestMar 6, 2024
…52425) (GH-115623) (GH-116272)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestMar 6, 2024
…52425) (GH-115623) (GH-116275)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea from#115138 (comment) .Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.Co-authored-by: Gregory P. Smith <greg@krypto.org>
adorilson pushed a commit to adorilson/cpython that referenced this pull requestMar 25, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .### Notes- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.
diegorusso pushed a commit to diegorusso/cpython that referenced this pull requestApr 17, 2024
…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .### Notes- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.
jessecomeau87 pushed a commit to jessecomeau87/Python that referenced this pull requestMay 20, 2024
… (GH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython/cpython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
Fixes#115133