CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

python3-xmltodict: fix CVE-2025-9375

Browse Source 
Reference:
	https://nvd.nist.gov/vuln/detail/CVE-2025-9375
	https://security-tracker.debian.org/tracker/CVE-2025-9375
	https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6

Upstream-patch:
	ecd456ab88
	f98c90f071

(From OE-Core rev: 30624cce634cade0b030aa71a03be754abbf3da9)

Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Saravanan 2025-10-13 17:22:44 +05:30 committed by Steve Sakoman
parent a04f9ab3a5
commit 2ab1bedda9
3 changed files with 289 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
meta/recipes-devtools/python/python3-xmltodict/CVE-2025-9375-1.patch Normal file
View File

@ -0,0 +1,111 @@
From ecd456ab88d379514b116ef9293318b74e5ed3ee Mon Sep 17 00:00:00 2001
From: Martin Blech <78768+martinblech@users.noreply.github.com>
Date: Thu, 4 Sep 2025 17:25:39 -0700
Subject: [PATCH] Prevent XML injection: reject '<'/'>' in element/attr names
(incl. @xmlns)
* Add tests for tag names, attribute names, and @xmlns prefixes; confirm attr values are escaped.
CVE: CVE-2025-9375
Upstream-Status: Backport
https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
---
tests/test_dicttoxml.py | 32 ++++++++++++++++++++++++++++++++
xmltodict.py | 20 +++++++++++++++++++-
2 files changed, 51 insertions(+), 1 deletion(-)
Index: python-xmltodict-0.13.0/tests/test_dicttoxml.py
===================================================================
--- python-xmltodict-0.13.0.orig/tests/test_dicttoxml.py
+++ python-xmltodict-0.13.0/tests/test_dicttoxml.py
@@ -213,3 +213,35 @@ xmlns:b="http://b.com/"><x a:attr="val">
expected_xml = '<?xml version="1.0" encoding="utf-8"?>\n<x>false</x>'
xml = unparse(dict(x=False))
self.assertEqual(xml, expected_xml)
+
+ def test_rejects_tag_name_with_angle_brackets(self):
+ # Minimal guard: disallow '<' or '>' to prevent breaking tag context
+ with self.assertRaises(ValueError):
+ unparse({"m><tag>content</tag": "unsafe"}, full_document=False)
+
+ def test_rejects_attribute_name_with_angle_brackets(self):
+ # Now we expect bad attribute names to be rejected
+ with self.assertRaises(ValueError):
+ unparse(
+ {"a": {"@m><tag>content</tag": "unsafe", "#text": "x"}},
+ full_document=False,
+ )
+
+ def test_rejects_malicious_xmlns_prefix(self):
+ # xmlns prefixes go under @xmlns mapping; reject angle brackets in prefix
+ with self.assertRaises(ValueError):
+ unparse(
+ {
+ "a": {
+ "@xmlns": {"m><bad": "http://example.com/"},
+ "#text": "x",
+ }
+ },
+ full_document=False,
+ )
+
+ def test_attribute_values_with_angle_brackets_are_escaped(self):
+ # Attribute values should be escaped by XMLGenerator
+ xml = unparse({"a": {"@attr": "1<middle>2", "#text": "x"}}, full_document=False)
+ # The generated XML should contain escaped '<' and '>' within the attribute value
+ self.assertIn('attr="1&lt;middle&gt;2"', xml)
Index: python-xmltodict-0.13.0/xmltodict.py
===================================================================
--- python-xmltodict-0.13.0.orig/xmltodict.py
+++ python-xmltodict-0.13.0/xmltodict.py
@@ -379,6 +379,14 @@ def parse(xml_input, encoding=None, expa
return handler.item
+def _has_angle_brackets(value):
+ """Return True if value (a str) contains '<' or '>'.
+
+ Non-string values return False. Uses fast substring checks implemented in C.
+ """
+ return isinstance(value, str) and ("<" in value or ">" in value)
+
+
def _process_namespace(name, namespaces, ns_sep=':', attr_prefix='@'):
if not namespaces:
return name
@@ -412,6 +420,9 @@ def _emit(key, value, content_handler,
if result is None:
return
key, value = result
+ # Minimal validation to avoid breaking out of tag context
+ if _has_angle_brackets(key):
+ raise ValueError('Invalid element name: "<" or ">" not allowed')
if (not hasattr(value, '__iter__')
or isinstance(value, _basestring)
or isinstance(value, dict)):
@@ -445,12 +456,19 @@ def _emit(key, value, content_handler,
attr_prefix)
if ik == '@xmlns' and isinstance(iv, dict):
for k, v in iv.items():
+ if _has_angle_brackets(k):
+ raise ValueError(
+ 'Invalid attribute name: "<" or ">" not allowed'
+ )
attr = 'xmlns{}'.format(':{}'.format(k) if k else '')
attrs[attr] = _unicode(v)
continue
if not isinstance(iv, _unicode):
iv = _unicode(iv)
- attrs[ik[len(attr_prefix):]] = iv
+ attr_name = ik[len(attr_prefix) :]
+ if _has_angle_brackets(attr_name):
+ raise ValueError('Invalid attribute name: "<" or ">" not allowed')
+ attrs[attr_name] = iv
continue
children.append((ik, iv))
if pretty:

176
meta/recipes-devtools/python/python3-xmltodict/CVE-2025-9375-2.patch Normal file
View File

@ -0,0 +1,176 @@
From f98c90f071228ed73df997807298e1df4f790c33 Mon Sep 17 00:00:00 2001
From: Martin Blech <78768+martinblech@users.noreply.github.com>
Date: Mon, 8 Sep 2025 11:18:33 -0700
Subject: [PATCH] Enhance unparse() XML name validation with stricter rules and
tests
Extend existing validation (previously only for "<" and ">") to also
reject element, attribute, and xmlns prefix names that are non-string,
start with "?" or "!", or contain "/", spaces, tabs, or newlines.
Update _emit and namespace handling to use _validate_name. Add tests
covering these new invalid name cases.
CVE: CVE-2025-9375
Upstream-Status: Backport
https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33
https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com
---
tests/test_dicttoxml.py | 60 +++++++++++++++++++++++++++++++++++++++++
xmltodict.py | 48 ++++++++++++++++++++++++++-------
2 files changed, 99 insertions(+), 9 deletions(-)
Index: python-xmltodict-0.13.0/tests/test_dicttoxml.py
===================================================================
--- python-xmltodict-0.13.0.orig/tests/test_dicttoxml.py
+++ python-xmltodict-0.13.0/tests/test_dicttoxml.py
@@ -245,3 +245,63 @@ xmlns:b="http://b.com/"><x a:attr="val">
xml = unparse({"a": {"@attr": "1<middle>2", "#text": "x"}}, full_document=False)
# The generated XML should contain escaped '<' and '>' within the attribute value
self.assertIn('attr="1&lt;middle&gt;2"', xml)
+
+ def test_rejects_tag_name_starting_with_question(self):
+ with self.assertRaises(ValueError):
+ unparse({"?pi": "data"}, full_document=False)
+
+ def test_rejects_tag_name_starting_with_bang(self):
+ with self.assertRaises(ValueError):
+ unparse({"!decl": "data"}, full_document=False)
+
+ def test_rejects_attribute_name_starting_with_question(self):
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@?weird": "x"}}, full_document=False)
+
+ def test_rejects_attribute_name_starting_with_bang(self):
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@!weird": "x"}}, full_document=False)
+
+ def test_rejects_xmlns_prefix_starting_with_question_or_bang(self):
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@xmlns": {"?p": "http://e/"}}}, full_document=False)
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@xmlns": {"!p": "http://e/"}}}, full_document=False)
+
+ def test_rejects_non_string_names(self):
+ class Weird:
+ def __str__(self):
+ return "bad>name"
+
+ # Non-string element key
+ with self.assertRaises(ValueError):
+ unparse({Weird(): "x"}, full_document=False)
+ # Non-string attribute key
+ with self.assertRaises(ValueError):
+ unparse({"a": {Weird(): "x"}}, full_document=False)
+
+ def test_rejects_tag_name_with_slash(self):
+ with self.assertRaises(ValueError):
+ unparse({"bad/name": "x"}, full_document=False)
+
+ def test_rejects_tag_name_with_whitespace(self):
+ for name in ["bad name", "bad\tname", "bad\nname"]:
+ with self.assertRaises(ValueError):
+ unparse({name: "x"}, full_document=False)
+
+ def test_rejects_attribute_name_with_slash(self):
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@bad/name": "x"}}, full_document=False)
+
+ def test_rejects_attribute_name_with_whitespace(self):
+ for name in ["@bad name", "@bad\tname", "@bad\nname"]:
+ with self.assertRaises(ValueError):
+ unparse({"a": {name: "x"}}, full_document=False)
+
+ def test_rejects_xmlns_prefix_with_slash_or_whitespace(self):
+ # Slash
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@xmlns": {"bad/prefix": "http://e/"}}}, full_document=False)
+ # Whitespace
+ with self.assertRaises(ValueError):
+ unparse({"a": {"@xmlns": {"bad prefix": "http://e/"}}}, full_document=False)
Index: python-xmltodict-0.13.0/xmltodict.py
===================================================================
--- python-xmltodict-0.13.0.orig/xmltodict.py
+++ python-xmltodict-0.13.0/xmltodict.py
@@ -387,7 +387,42 @@ def _has_angle_brackets(value):
return isinstance(value, str) and ("<" in value or ">" in value)
+def _has_invalid_name_chars(value):
+ """Return True if value (a str) contains any disallowed name characters.
+
+ Disallowed: '<', '>', '/', or any whitespace character.
+ Non-string values return False.
+ """
+ if not isinstance(value, str):
+ return False
+ if "<" in value or ">" in value or "/" in value:
+ return True
+ # Check for any whitespace (spaces, tabs, newlines, etc.)
+ return any(ch.isspace() for ch in value)
+
+
+def _validate_name(value, kind):
+ """Validate an element/attribute name for XML safety.
+
+ Raises ValueError with a specific reason when invalid.
+
+ kind: 'element' or 'attribute' (used in error messages)
+ """
+ if not isinstance(value, str):
+ raise ValueError(f"{kind} name must be a string")
+ if value.startswith("?") or value.startswith("!"):
+ raise ValueError(f'Invalid {kind} name: cannot start with "?" or "!"')
+ if "<" in value or ">" in value:
+ raise ValueError(f'Invalid {kind} name: "<" or ">" not allowed')
+ if "/" in value:
+ raise ValueError(f'Invalid {kind} name: "/" not allowed')
+ if any(ch.isspace() for ch in value):
+ raise ValueError(f"Invalid {kind} name: whitespace not allowed")
+
+
def _process_namespace(name, namespaces, ns_sep=':', attr_prefix='@'):
+ if not isinstance(name, str):
+ return name
if not namespaces:
return name
try:
@@ -421,8 +456,7 @@ def _emit(key, value, content_handler,
return
key, value = result
# Minimal validation to avoid breaking out of tag context
- if _has_angle_brackets(key):
- raise ValueError('Invalid element name: "<" or ">" not allowed')
+ _validate_name(key, "element")
if (not hasattr(value, '__iter__')
or isinstance(value, _basestring)
or isinstance(value, dict)):
@@ -451,23 +485,19 @@ def _emit(key, value, content_handler,
if ik == cdata_key:
cdata = iv
continue
- if ik.startswith(attr_prefix):
+ if isinstance(ik, str) and ik.startswith(attr_prefix):
ik = _process_namespace(ik, namespaces, namespace_separator,
attr_prefix)
if ik == '@xmlns' and isinstance(iv, dict):
for k, v in iv.items():
- if _has_angle_brackets(k):
- raise ValueError(
- 'Invalid attribute name: "<" or ">" not allowed'
- )
+ _validate_name(k, "attribute")
attr = 'xmlns{}'.format(':{}'.format(k) if k else '')
attrs[attr] = _unicode(v)
continue
if not isinstance(iv, _unicode):
iv = _unicode(iv)
attr_name = ik[len(attr_prefix) :]
- if _has_angle_brackets(attr_name):
- raise ValueError('Invalid attribute name: "<" or ">" not allowed')
+ _validate_name(attr_name, "attribute")
attrs[attr_name] = iv
continue
children.append((ik, iv))

2
meta/recipes-devtools/python/python3-xmltodict_0.13.0.bb
View File

@ -13,6 +13,8 @@ inherit pypi setuptools3 ptest
SRC_URI += " \
file://run-ptest \
file://CVE-2025-9375-1.patch \
file://CVE-2025-9375-2.patch \
"
RDEPENDS:${PN} += " \