CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
792947d444
poky/meta/recipes-devtools/python/python3-xmltodict/CVE-2025-9375-1.patch
Saravanan 2ab1bedda9 python3-xmltodict: fix CVE-2025-9375 
Reference:
	https://nvd.nist.gov/vuln/detail/CVE-2025-9375
	https://security-tracker.debian.org/tracker/CVE-2025-9375
	https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6

Upstream-patch:
	ecd456ab88
	f98c90f071

(From OE-Core rev: 30624cce634cade0b030aa71a03be754abbf3da9)

Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-10-24 06:23:39 -07:00

112 lines
4.8 KiB
Diff
Raw Blame History

From ecd456ab88d379514b116ef9293318b74e5ed3ee Mon Sep 17 00:00:00 2001
From: Martin Blech <78768+martinblech@users.noreply.github.com>
Date: Thu, 4 Sep 2025 17:25:39 -0700
Subject: [PATCH] Prevent XML injection: reject '<'/'>' in element/attr names
(incl. @xmlns)
* Add tests for tag names, attribute names, and @xmlns prefixes; confirm attr values are escaped.
CVE: CVE-2025-9375
Upstream-Status: Backport
https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
---
tests/test_dicttoxml.py | 32 ++++++++++++++++++++++++++++++++
xmltodict.py | 20 +++++++++++++++++++-
2 files changed, 51 insertions(+), 1 deletion(-)
Index: python-xmltodict-0.13.0/tests/test_dicttoxml.py
===================================================================
--- python-xmltodict-0.13.0.orig/tests/test_dicttoxml.py
+++ python-xmltodict-0.13.0/tests/test_dicttoxml.py
@@ -213,3 +213,35 @@ xmlns:b="http://b.com/"><x a:attr="val">
expected_xml = '<?xml version="1.0" encoding="utf-8"?>\n<x>false</x>'
xml = unparse(dict(x=False))
self.assertEqual(xml, expected_xml)
+
+ def test_rejects_tag_name_with_angle_brackets(self):
+ # Minimal guard: disallow '<' or '>' to prevent breaking tag context
+ with self.assertRaises(ValueError):
+ unparse({"m><tag>content</tag": "unsafe"}, full_document=False)
+
+ def test_rejects_attribute_name_with_angle_brackets(self):
+ # Now we expect bad attribute names to be rejected
+ with self.assertRaises(ValueError):
+ unparse(
+ {"a": {"@m><tag>content</tag": "unsafe", "#text": "x"}},
+ full_document=False,
+ )
+
+ def test_rejects_malicious_xmlns_prefix(self):
+ # xmlns prefixes go under @xmlns mapping; reject angle brackets in prefix
+ with self.assertRaises(ValueError):
+ unparse(
+ {
+ "a": {
+ "@xmlns": {"m><bad": "http://example.com/"},
+ "#text": "x",
+ }
+ },
+ full_document=False,
+ )
+
+ def test_attribute_values_with_angle_brackets_are_escaped(self):
+ # Attribute values should be escaped by XMLGenerator
+ xml = unparse({"a": {"@attr": "1<middle>2", "#text": "x"}}, full_document=False)
+ # The generated XML should contain escaped '<' and '>' within the attribute value
+ self.assertIn('attr="1&lt;middle&gt;2"', xml)
Index: python-xmltodict-0.13.0/xmltodict.py
===================================================================
--- python-xmltodict-0.13.0.orig/xmltodict.py
+++ python-xmltodict-0.13.0/xmltodict.py
@@ -379,6 +379,14 @@ def parse(xml_input, encoding=None, expa
return handler.item
+def _has_angle_brackets(value):
+ """Return True if value (a str) contains '<' or '>'.
+
+ Non-string values return False. Uses fast substring checks implemented in C.
+ """
+ return isinstance(value, str) and ("<" in value or ">" in value)
+
+
def _process_namespace(name, namespaces, ns_sep=':', attr_prefix='@'):
if not namespaces:
return name
@@ -412,6 +420,9 @@ def _emit(key, value, content_handler,
if result is None:
return
key, value = result
+ # Minimal validation to avoid breaking out of tag context
+ if _has_angle_brackets(key):
+ raise ValueError('Invalid element name: "<" or ">" not allowed')
if (not hasattr(value, '__iter__')
or isinstance(value, _basestring)
or isinstance(value, dict)):
@@ -445,12 +456,19 @@ def _emit(key, value, content_handler,
attr_prefix)
if ik == '@xmlns' and isinstance(iv, dict):
for k, v in iv.items():
+ if _has_angle_brackets(k):
+ raise ValueError(
+ 'Invalid attribute name: "<" or ">" not allowed'
+ )
attr = 'xmlns{}'.format(':{}'.format(k) if k else '')
attrs[attr] = _unicode(v)
continue
if not isinstance(iv, _unicode):
iv = _unicode(iv)
- attrs[ik[len(attr_prefix):]] = iv
+ attr_name = ik[len(attr_prefix) :]
+ if _has_angle_brackets(attr_name):
+ raise ValueError('Invalid attribute name: "<" or ">" not allowed')
+ attrs[attr_name] = iv
continue
children.append((ik, iv))
if pretty:
Reference in New Issue View Git Blame Copy Permalink