Skip to content

UAF: xml.etree.ElementTree.Element.__deepcopy__ when concurrent mutations happen #133009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
picnixz opened this issue Apr 26, 2025 · 0 comments
Open

UAF: xml.etree.ElementTree.Element.__deepcopy__ when concurrent mutations happen #133009

picnixz opened this issue Apr 26, 2025 · 0 comments
Assignees
@picnixz
Labels
extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Member

picnixz commented Apr 26, 2025
edited by bedevere-app bot
Loading

Crash report

What happened?

Reproducer:

import xml.etree.ElementTree as ET
from copy import deepcopy

class Evil(ET.Element):
    def __deepcopy__(self, memo):
        root.clear()
        return self

root = ET.Element('a')
root.append(Evil('x'))
deepcopy(root)

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

Python 3.14.0a7+ (heads/main:7f02ded29fb, Apr 26 2025, 14:29:01) [GCC 7.5.0]

Linked PRs
@picnixz picnixz added extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump labels Apr 26, 2025
@picnixz picnixz self-assigned this Apr 26, 2025
@bedevere-app bedevere-app bot mentioned this issue Apr 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@picnixz