Matej Cepl
e62ac867bc
- Security¶
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0 (bsc#1222075)
- gh-115243: Fix possible crashes in
collections.deque.index() when the deque is concurrently
modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads.
- Core and Builtins
- gh-109120: Added handle of incorrect star expressions, e.g
f(3, *). Patch by Grigoryev Semyon
- gh-99108: Updated the hashlib built-in HACL* project C code
from upstream that we use for many implementations when
they are not present via OpenSSL in a given build. This
also avoids the rare potential for a C symbol name one
definition rule linking issue.
- gh-116735: For INSTRUMENTED_CALL_FUNCTION_EX, set arg0 to
sys.monitoring.MISSING instead of None for CALL event.
- gh-113964: Starting new threads and process creation
through os.fork() are now only prevented once all
non-daemon threads exit.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=43
52 lines
1.9 KiB
Diff
52 lines
1.9 KiB
Diff
From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001
|
|
From: Serhiy Storchaka <storchaka@gmail.com>
|
|
Date: Sun, 11 Feb 2024 12:08:39 +0200
|
|
Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
|
|
(GH-115164)
|
|
|
|
Feeding the parser by too small chunks defers parsing to prevent
|
|
CVE-2023-52425. Future versions of Expat may be more reactive.
|
|
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
|
|
|
|
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
---
|
|
Lib/test/test_xml_etree.py | 7 +++++++
|
|
Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 ++
|
|
2 files changed, 9 insertions(+)
|
|
create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
|
|
|
|
--- a/Lib/test/test_xml_etree.py
|
|
+++ b/Lib/test/test_xml_etree.py
|
|
@@ -121,6 +121,10 @@ ATTLIST_XML = """\
|
|
</foo>
|
|
"""
|
|
|
|
+fails_with_expat_2_6_0 = (unittest.expectedFailure
|
|
+ if pyexpat.version_info >= (2, 6, 0) else
|
|
+ lambda test: test)
|
|
+
|
|
def checkwarnings(*filters, quiet=False):
|
|
def decorator(test):
|
|
def newtest(*args, **kwargs):
|
|
@@ -1424,12 +1428,15 @@ class XMLPullParserTest(unittest.TestCas
|
|
self.assert_event_tags(parser, [('end', 'root')])
|
|
self.assertIsNone(parser.close())
|
|
|
|
+ @fails_with_expat_2_6_0
|
|
def test_simple_xml_chunk_1(self):
|
|
self.test_simple_xml(chunk_size=1, flush=True)
|
|
|
|
+ @fails_with_expat_2_6_0
|
|
def test_simple_xml_chunk_5(self):
|
|
self.test_simple_xml(chunk_size=5, flush=True)
|
|
|
|
+ @fails_with_expat_2_6_0
|
|
def test_simple_xml_chunk_22(self):
|
|
self.test_simple_xml(chunk_size=22)
|
|
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
|
|
@@ -0,0 +1,2 @@
|
|
+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
|
|
+2.6.0.
|