gh-148954: sanitize methodname in xmlrpc.client.dumps() to prevent XML injection#148968
gh-148954: sanitize methodname in xmlrpc.client.dumps() to prevent XML injection#148968sanyamk23 wants to merge 6 commits intopython:mainfrom
Conversation
|
The following commit authors need to sign the Contributor License Agreement: |
…ent XML injection
sanyamk23
force-pushed
the
fix-xmlrpc-methodname-sanitization
branch
from
4c5e015 to
4e67dfd
Compare
picnixz
left a comment
picnixz
left a comment
There was a problem hiding this comment.
- Please sign the CLA.
- Please don't use LLM to generate your PRs or summary. See https://devguide.python.org/getting-started/generative-ai/.
- Add tests if possible.
- Don't force push and don't update your PR with the "Update branch" button. In particular, read the devguide.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
picnixz
left a comment
picnixz
left a comment
There was a problem hiding this comment.
cc @sethmlarson @StanFromIreland (I think this was a GHSA right? I didn't follow the discussion so there might be more that you wanted to add).
|
FTR: this was GHSA-w5gj-44cx-wmcj. |
3 participants
Summary
This PR fixes an XML injection vulnerability in
xmlrpc.client.dumps()where themethodnamewas interpolated directly into the<methodName>tag without escaping.Details
The
methodnameis now passed through the module'sescape()helper function before being added to the XML request body. This prevents attackers from injecting arbitrary XML markup if they can control the method name.Verification
'foo</methodName><injected attr="evil"/><methodName>bar'is correctly escaped as'foo</methodName><injected attr="evil"/><methodName>bar'.Fixes gh-148954