Opened 72 minutes ago
#36769 new Cleanup/optimization
Limit recursive extraction of field values in XML deserializer
| Reported by: | Jacob Walls | Owned by: | |
|---|---|---|---|
| Component: | Core (Serialization) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
While investigating CVE-2025-64460 (mitigated in 50efb718b31333051bc2dcb06911b8fa1358c98c), we noticed that the private helper getInnerText supports extracting arbitrarily nested text, however its only use in Django is to extract text at most one level deep, under a <natural> tag, like this fixture example.
We opted not to change this semantic in a patch release, but it occurred to me that we could only extract text at the exact expected depth (e.g. 0 if under <field> and 1 if under <field><natural>) and completely sidestep potential performance issues from invalid input making use of nested elements, see recent python CVE-2025-12084 we also mitigated yesterday.
I would appreciate any arguments I might be missing, for example, if there are legitimate use cases for ingesting text from nested tags e.g. from unescaped markup that this proposal would break.