bpo-42051: Reject XML entity declarations in plist files (python#22760) (GC-22801)

Co-authored-by: Ronald Oussoren <[email protected]>
Co-authored-by: Ned Deily <[email protected]>

Add InvalidFileException class.
RaisesRegex is RaisesRegexp in python2.
plistlib.loads is in the python3 version of plistlib,
but there are too many changes to backport this simply.

Author: icanhasmath

Lib/plistlib.py

@@ -403,9 +403,16 @@ def parse(self, fileobj):
         parser.StartElementHandler = self.handleBeginElement
         parser.EndElementHandler = self.handleEndElement
         parser.CharacterDataHandler = self.handleData
+        parser.EntityDeclHandler = self.handle_entity_decl
         parser.ParseFile(fileobj)
         return self.root
 
+    def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+        # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+        # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+        # accept them either.
+        raise InvalidFileException("XML entity declarations are not supported in plist files")
+
     def handleBeginElement(self, element, attrs):
         self.data = []
         handler = getattr(self, "begin_" + element, None)
@@ -472,3 +479,8 @@ def end_data(self):
         self.addObject(Data.fromBase64(self.getData()))
     def end_date(self):
         self.addObject(_dateFromString(self.getData()))
+
+
+class InvalidFileException (ValueError):
+    def __init__(self, message="Invalid file"):
+        ValueError.__init__(self, message)

Lib/test/test_plistlib.py

@@ -86,6 +86,19 @@
 </plist>
 """.replace(" " * 8, "\t")  # Apple as well as plistlib.py output hard tabs
 
+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+   <!ENTITY entity "replacement text">
+  ]>
+<plist version="1.0">
+  <dict>
+    <key>A</key>
+    <string>&entity;</string>
+  </dict>
+</plist>
+'''
+
 
 class TestPlistlib(unittest.TestCase):
 
@@ -195,6 +208,10 @@ def test_nondictroot(self):
         self.assertEqual(test1, result1)
         self.assertEqual(test2, result2)
 
+    def test_xml_plist_with_entity_decl(self):
+        with self.assertRaisesRegexp(plistlib.InvalidFileException,
+                                    "XML entity declarations are not supported"):
+            plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
 
 def test_main():
     test_support.run_unittest(TestPlistlib)

Misc/NEWS.d/2.7.18.8.rst

@@ -0,0 +1,56 @@
+.. bpo: 37428
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2023-40217
+
+SSLContext.post_handshake_auth = True no longer sets
+SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
+option is documented as ignored for clients, OpenSSL implicitly enables cert
+chain validation when the flag is set.
+
+.. bpo: ?
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2023-24329
+
+Start stripping C0 control and space chars in urlsplit (#… …102508)
+
+`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit #25595.
+
+This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/#url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+
+.. bpo: 43882
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2022-0391
+
+A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
+
+.. bpo: 43285
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2021-4189
+
+A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
+
+.. bpo: 42051
+.. date: 2024-03-12
+.. nonce:
+.. release date: 2024-03-12
+.. section: Core and Builtins
+
+CVE-2022-48565
+
+An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst

@@ -0,0 +1,3 @@
+The :mod: module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.