[issue42051] plistlib inherits XML vulnerabilities: we should document them
Ronald Oussoren
report at bugs.python.org
Sun Oct 18 10:24:00 EDT 2020
Ronald Oussoren <ronaldoussoren at mac.com> added the comment:
One option is to copy what defusedxml does to forbid a number of unsafe operations, see https://github.com/tiran/defusedxml/blob/eb38a2d710b67df48614cb5098ddb8472289ce6d/defusedxml/ElementTree.py#L68
Defusedxml uses an XMLParser subclass that optionally disables some features (such as entity definitions), for plistlib those features can be disabled unconditionally.
I haven't thought much about the exceptions to use, probably a similar exception as is used for invalid plist files.
Another thing I haven't really thought about: would such a change be 3.10 only or is this something we could backport?
The following plist file currently works with plistlib, but does not work with plutil(1) on macOS 10.15 (parse error in the DTD definition). That indicates that entity definitions aren't supposed to be used in plist files and it would be safe to disable this feature in plistlib.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
<!ENTITY entity "replacement text">
]>
<plist version="1.0">
<dict>
<key>A</key>
<string>&entity;</string>
</dict>
</plist>
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42051>
_______________________________________
More information about the Python-bugs-list
mailing list