From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001

From: Ned Deily <nad@python.org>

Date: Mon, 19 Oct 2020 22:36:27 -0400

Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files

 (GH-22760) (GH-22801)

​

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>

(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)

​

Co-authored-by: Ned Deily <nad@python.org>

---

 Lib/plistlib.py                                                    |   10 +++++

 Lib/test/test_plistlib.py                                          |   19 ++++++++++

 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst |    3 +

 3 files changed, 32 insertions(+)

 create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst

​

--- a/Lib/plistlib.py

+++ b/Lib/plistlib.py

@@ -403,9 +403,19 @@ class PlistParser:

         parser.StartElementHandler = self.handleBeginElement

         parser.EndElementHandler = self.handleEndElement

         parser.CharacterDataHandler = self.handleData

+        parser.EntityDeclHandler = self.handle_entity_decl

         parser.ParseFile(fileobj)

         return self.root

+    def handle_entity_decl(self, entity_name, is_parameter_entity, value,

+                           base, system_id, public_id, notation_name):

+        # Reject plist files with entity declarations to avoid XML

+        # vulnerabilies in expat. Regular plist files don't contain

+        # those declerations, and Apple's plutil tool does not accept

+        # them either.

+        raise ValueError(

+            "XML entity declarations are not supported in plist files")

+

     def handleBeginElement(self, element, attrs):

         self.data = []

         handler = getattr(self, "begin_" + element, None)

--- a/Lib/test/test_plistlib.py

+++ b/Lib/test/test_plistlib.py

@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi

 </plist>

 """.replace(" " * 8, "\t")  # Apple as well as plistlib.py output hard tabs

+XML_PLIST_WITH_ENTITY=b'''\

+<?xml version="1.0" encoding="UTF-8"?>

+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [

+   <!ENTITY entity "replacement text">

+  ]>

+<plist version="1.0">

+  <dict>

+    <key>A</key>

+    <string>&entity;</string>

+  </dict>

+</plist>

+'''

+

 class TestPlistlib(unittest.TestCase):

@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase):

         self.assertEqual(test1, result1)

         self.assertEqual(test2, result2)

+    def test_xml_plist_with_entity_decl(self):

+        with self.assertRaisesRegexp(ValueError,

+                                     "XML entity declarations are not supported"):

+            plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)

+

+

 def test_main():

     test_support.run_unittest(TestPlistlib)

--- /dev/null

+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst

@@ -0,0 +1,3 @@

+The :mod:`plistlib` module no longer accepts entity declarations in XML

+plist files to avoid XML vulnerabilities. This should not affect users as

+entity declarations are not used in regular plist files.

​