diff options
| author | Sebastian Pipping <sebastian@pipping.org> | 2024-02-29 22:52:50 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-29 22:52:50 (GMT) |
| commit | 6a95676bb526261434dd068d6c49927c44d24a9b (patch) | |
| tree | e610bee9b3ca230b4e157745ebbe38c8a9923f89 /Include | |
| parent | d01886c5c9e3a62921b304ba7e5145daaa56d3cf (diff) | |
| download | cpython-6a95676bb526261434dd068d6c49927c44d24a9b.zip cpython-6a95676bb526261434dd068d6c49927c44d24a9b.tar.gz cpython-6a95676bb526261434dd068d6c49927c44d24a9b.tar.bz2 | |
gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623)
Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 .
### Notes
- Please treat as a security fix related to CVE-2023-52425.
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
Diffstat (limited to 'Include')
| -rw-r--r-- | Include/pyexpat.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Include/pyexpat.h b/Include/pyexpat.h index 07020b5..9824d09 100644 --- a/Include/pyexpat.h +++ b/Include/pyexpat.h @@ -48,8 +48,10 @@ struct PyExpat_CAPI enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding); int (*DefaultUnknownEncodingHandler)( void *encodingHandlerData, const XML_Char *name, XML_Encoding *info); - /* might be none for expat < 2.1.0 */ + /* might be NULL for expat < 2.1.0 */ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); + /* might be NULL for expat < 2.6.0 */ + XML_Bool (*SetReparseDeferralEnabled)(XML_Parser parser, XML_Bool enabled); /* always add new stuff to the end! */ }; |