[3.12] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) (GH-116248)

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: - `xml.etree.ElementTree.XMLParser.flush` - `xml.etree.ElementTree.XMLPullParser.flush` - `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled` - `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` - `xml.sax.expatreader.ExpatParser.flush` Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 . - Please treat as a security fix related to CVE-2023-52425. (cherry picked from commit 6a95676bb526261434dd068d6c49927c44d24a9b) (cherry picked from commit 73807eb634315f70a464a18feaae33d9e065de09) (cherry picked from commit eda2963378a3c292cf6bb202bb00e94e46ee6d90) --------- Includes code suggested-by: Snild Dolkow <snild@sony.com> and by core dev Serhiy Storchaka. Co-authored-by: Gregory P. Smith <greg@krypto.org>
author: Sebastian Pipping <sebastian@pipping.org> 2024-03-06 22:01:45 (GMT)
committer: GitHub <noreply@github.com> 2024-03-06 22:01:45 (GMT)
commit: 0a01ed6c2a116bd3e174fce33c21d84d650de569 (patch)
tree: 4172262e4a616c388212b133b9840eafa7c12932 /Lib/xml/etree/ElementTree.py
parent: 2528e46470162dd12a625ccb5dfe35fb7bcac1d3 (diff)
download: cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.zip
cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.tar.gz
cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.tar.bz2
1 files changed, 14 insertions, 0 deletions
diff --git a/Lib/xml/etree/ElementTree.py b/Lib/xml/etree/ElementTree.py
index bb7362d..fd2cc87 100644
--- a/Lib/xml/etree/ElementTree.py
+++ b/Lib/xml/etree/ElementTree.py
@@ -1313,6 +1313,11 @@ class XMLPullParser:
             else:
                 yield event
 
+    def flush(self):
+        if self._parser is None:
+            raise ValueError("flush() called after end of stream")
+        self._parser.flush()
+
 
 def XML(text, parser=None):
     """Parse XML document from string constant.
@@ -1719,6 +1724,15 @@ class XMLParser:
             del self.parser, self._parser
             del self.target, self._target
 
+    def flush(self):
+        was_enabled = self.parser.GetReparseDeferralEnabled()
+        try:
+            self.parser.SetReparseDeferralEnabled(False)
+            self.parser.Parse(b"", False)
+        except self._error as v:
+            self._raiseerror(v)
+        finally:
+            self.parser.SetReparseDeferralEnabled(was_enabled)
 
 # --------------------------------------------------------------------
 # C14N 2.0
author	Sebastian Pipping <sebastian@pipping.org>	2024-03-06 22:01:45 (GMT)
committer	GitHub <noreply@github.com>	2024-03-06 22:01:45 (GMT)
commit	0a01ed6c2a116bd3e174fce33c21d84d650de569 (patch)
tree	4172262e4a616c388212b133b9840eafa7c12932 /Lib/xml/etree/ElementTree.py
parent	2528e46470162dd12a625ccb5dfe35fb7bcac1d3 (diff)
download	cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.zip cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.tar.gz cpython-0a01ed6c2a116bd3e174fce33c21d84d650de569.tar.bz2