[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

sping report at bugs.python.org
Sun Feb 20 11:20:27 EST 2022 

sping <sebastian at pipping.org> added the comment:

Hi Michal,


TL;DR would be:

- There is a regression but none of these test fails are related.

- There will be a release Expat 2.4.6 with the regression fixed later today.

- The 3 failing tests need (small) adjustments to Expat 2.4.5
  and these fails are not considered bugs in Expat.

I will demo a fix to 2 of the 3 test fails below:


# git diff -U1 | cat
diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
index 1663b1f114..38cea97a97 100644
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -12,2 +12,3 @@
 from xml.dom.minidom import getDOMImplementation
+from xml.parsers.expat import ExpatError
 
@@ -1149,4 +1150,6 @@ def testEncodings(self):
         # of crashing
-        self.assertRaises(UnicodeDecodeError, parseString,
-                b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
+        self.assertRaises(ExpatError, parseString,
+                b'<fran\xe7ais></fran\xe7ais>')
+        self.assertRaises(ExpatError, parseString,
+                b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
 
@@ -1611,3 +1614,3 @@ def testEmptyXMLNSValue(self):
     def testExceptionOnSpacesInXMLNSValue(self):
-        with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
+        with self.assertRaisesRegex(ExpatError, "syntax error"):
             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
             

For the third test, the key is that the closing curly brace is used as the
namespace separator in line 3660…

  self->parser = EXPAT(ParserCreate_MM)(encoding, &ExpatMemoryHandler, "}");
  
…in file Modules/_elementtree.c (which is okay but part of the test fail).

Best



Sebastian

----------
title: Please update bundled libexpat to 2.4.5 with security fixes (5 CVEs) -> Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46794>
_______________________________________

More information about the Python-bugs-list mailing list