Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 #115164

Merged
merged 2 commits into from
Feb 11, 2024
Merged

gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 #115164

merged 2 commits into from
Feb 11, 2024

Conversation

serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented Feb 8, 2024
edited by bedevere-app bot
Loading

Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive.

@serhiy-storchaka
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0
e27eafb 
Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
@serhiy-storchaka serhiy-storchaka added tests Tests in the Lib/test dir needs backport to 3.11 only security fixes needs backport to 3.12 bug and security fixes labels Feb 8, 2024
@bedevere-app bedevere-app bot mentioned this pull request Feb 8, 2024
Closed
@lazka
Copy link
Contributor

lazka commented Feb 10, 2024
edited
Loading

It stills fails here with this patch applied:

FAIL: test_simple_xml_chunk_8 (test.test_xml_etree.XMLPullParserTest.test_simple_xml_chunk_8)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1438, in test_simple_xml_chunk_8
    self.test_simple_xml(chunk_size=8)
  File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1418, in test_simple_xml
    self.assert_event_tags(parser, [('end', 'element')])
  File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1405, in assert_event_tags
    self.assertEqual([(action, elem.tag) for action, elem in events],
AssertionError: Lists differ: [] != [('end', 'element')]

Second list contains 1 additional elements.
First extra element 0:
('end', 'element')

- []
+ [('end', 'element')]

> python3 -c "import pyexpat; print(pyexpat.version_info)"
(2, 6, 0)

@serhiy-storchaka
Copy link
Member Author

What is the smallest value of chunk_size with which the test would pass?

@lazka
Copy link
Contributor

lazka commented Feb 10, 2024
edited
Loading

chunk_size=22 is the smallest value that works on my machine.

@serhiy-storchaka
Copy link
Member Author

Thank you for testing @lazka.

@serhiy-storchaka serhiy-storchaka merged commit 4a08e7b into python:main Feb 11, 2024
32 checks passed
@miss-islington-app
Copy link

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12.
🐍🍒⛏🤖

@serhiy-storchaka serhiy-storchaka deleted the test-etree-xmlpullparser-expat-2.6.0 branch February 11, 2024 10:08
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 11, 2024
@serhiy-storchaka @miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
5cffa94 
…GH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Feb 11, 2024

GH-115288 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 bug and security fixes label Feb 11, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 11, 2024
@serhiy-storchaka @miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
f2eebf3 
…GH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Feb 11, 2024

GH-115289 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Feb 11, 2024
@serhiy-storchaka serhiy-storchaka mentioned this pull request Feb 11, 2024
Closed
serhiy-storchaka added a commit that referenced this pull request Feb 11, 2024
@miss-islington @serhiy-storchaka
[3.12] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
c4fa79b 
…5164) (GH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
serhiy-storchaka added a commit that referenced this pull request Feb 11, 2024
@miss-islington @serhiy-storchaka
[3.11] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
3501eca 
…5164) (GH-115289)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@hartwork hartwork mentioned this pull request Feb 12, 2024
Merged
13 tasks
fsc-eriker pushed a commit to fsc-eriker/cpython that referenced this pull request Feb 14, 2024
@serhiy-storchaka @fsc-eriker
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
0d01a88 
…GH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
@hartwork hartwork mentioned this pull request Feb 14, 2024
Closed
28 tasks
@hartwork hartwork mentioned this pull request Feb 14, 2024
Merged
@miss-islington-app
Copy link

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 4a08e7b3431cd32a0daf22a33421cd3035343dc4 3.8

@miss-islington-app
Copy link

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 4a08e7b3431cd32a0daf22a33421cd3035343dc4 3.9

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka @miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
81d0755 
…GH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Feb 15, 2024

GH-115525 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Feb 15, 2024
sethmlarson pushed a commit to sethmlarson/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka @sethmlarson
[3.9] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
cd1d5ea 
…ythonGH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
sethmlarson pushed a commit to sethmlarson/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka @sethmlarson
[3.8] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
c9672ea 
…ythonGH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@sethmlarson
Copy link
Contributor

Created backports for 3.9 and 3.8 manually:

pablogsal pushed a commit that referenced this pull request Feb 19, 2024
@miss-islington @serhiy-storchaka
[3.10] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
d9c79e1 
…5164) (#115525)

gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
8efd73c 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
b2c5c9e 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
f92fdcf 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@Bill-Sommerfeld Bill-Sommerfeld mentioned this pull request Feb 20, 2024
Closed
ambv pushed a commit that referenced this pull request Feb 21, 2024
@sethmlarson @serhiy-storchaka
[3.8] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164
366f315 
) (GH-115536)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 21, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
7d3cf00 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
e6aeef3 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
76ea190 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
95790f9 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to msys2-contrib/cpython-mingw that referenced this pull request Aug 5, 2024
@miss-islington @serhiy-storchaka @naveen521kk
[3.12] pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
ad679e5 
…ythonGH-115164) (pythonGH-115288)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@edmorley edmorley mentioned this pull request Oct 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hartwork hartwork hartwork approved these changes

@Snild-Sony Snild-Sony Snild-Sony approved these changes

Assignees

@serhiy-storchaka serhiy-storchaka

Labels
needs backport to 3.9 only security fixes tests Tests in the Lib/test dir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@serhiy-storchaka @lazka @sethmlarson @hartwork @Snild-Sony