NotificationsYou must be signed in to change notification settings
Fork32.4k
Star67.9k

[3.8] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623)#116275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

ambv merged 3 commits intopython:3.8fromhartwork:backport-6a95676-3.8

Mar 6, 2024

Merged

[3.8] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623)#116275

ambv merged 3 commits intopython:3.8fromhartwork:backport-6a95676-3.8

Mar 6, 2024

Conversation

Copy link

Contributor

hartwork commentedMar 3, 2024•
edited by bedevere-appbot
Loading

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

xml.etree.ElementTree.XMLParser.flush
xml.etree.ElementTree.XMLPullParser.flush
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled
xml.sax.expatreader.ExpatParser.flush

Based on the "flush" idea from#115138 (comment) .

Please treat as a security fix related toCVE-2023-52425.

Includes code suggested-by: Snild Dolkowsnild@sony.com
and by core dev Serhiy Storchaka.

(cherry picked from commit6a95676)

Issue:Please expose Expat >=2.6.0 API functionXML_SetReparseDeferralEnabled #115398

pythongh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-…

1110d3e

…52425) (pythonGH-115623)Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:- `xml.etree.ElementTree.XMLParser.flush`- `xml.etree.ElementTree.XMLPullParser.flush`- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`- `xml.sax.expatreader.ExpatParser.flush`Based on the "flush" idea frompython#115138 (comment) .- Please treat as a security fix related toCVE-2023-52425.Includes code suggested-by: Snild Dolkow <snild@sony.com>and by core dev Serhiy Storchaka.(cherry picked from commit6a95676)

bedevere-appbot added the awaiting review label

Mar 3, 2024

bedevere-appbot mentioned this pull request

Mar 3, 2024

gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425)#115623

Merged

bedevere-appbot added type-feature

A feature request or enhancement

type-securityA security issue labels

Mar 3, 2024

bedevere-appbot mentioned this pull request

Mar 3, 2024

Please expose Expat >=2.6.0 API functionXML_SetReparseDeferralEnabled#115398

Closed

hartworkand others added2 commits

March 6, 2024 22:24

pythongh-115398: Suggest use ofhasattrwith checking for 3.13 Expa…

ad77f04

…t API availability (pythonGH-116278)Suggest use of "hasattr" with checking for 3.13 Expat API availability(cherry picked from commit73807eb)

RESTify news API list.

7e19a6f

(cherry picked from commiteda2963)

gpshead reviewed

Mar 6, 2024

View reviewed changes

Doc/library/pyexpat.rst

		Calling ``SetReparseDeferralEnabled(True)`` allows re-enabling reparse
		deferral.

		Note that :meth:`SetReparseDeferralEnabled` has been backported to some

Copy link

Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Consider eliding this first sentence within the 3.8 back port docs as it won't be backported further. The overall "check for availability" advice is valid regardless though.

Copy link

ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@gpshead I'm unsure of better wording, it's not wrong technically and I see some value in having all branches agree on this text — my vote for keeping as is. If it's dear to you, I can change it. In that case please help me find better wording for 3.8.