Ronald Oussoren <ronaldousso...@mac.com> added the comment:
One option is to copy what defusedxml does to forbid a number of unsafe operations, see https://github.com/tiran/defusedxml/blob/eb38a2d710b67df48614cb5098ddb8472289ce6d/defusedxml/ElementTree.py#L68 Defusedxml uses an XMLParser subclass that optionally disables some features (such as entity definitions), for plistlib those features can be disabled unconditionally. I haven't thought much about the exceptions to use, probably a similar exception as is used for invalid plist files. Another thing I haven't really thought about: would such a change be 3.10 only or is this something we could backport? The following plist file currently works with plistlib, but does not work with plutil(1) on macOS 10.15 (parse error in the DTD definition). That indicates that entity definitions aren't supposed to be used in plist files and it would be safe to disable this feature in plistlib. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"; [ <!ENTITY entity "replacement text"> ]> <plist version="1.0"> <dict> <key>A</key> <string>&entity;</string> </dict> </plist> ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42051> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
