Opened 3 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#37183 closed Cleanup/optimization (fixed)

Prevent writing control characters into XML attributes in syndication feeds

Reported by: Jacob Walls Owned by: Jacob Walls
Component: contrib.syndication Version: dev
Severity: Normal Keywords: not-security, control
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The Security Team received a report about constructing a syndication feed item from invalid user input (a control character) breaking an entire feed by causing the XML document to be unparseable.

Control characters other than HT, LF, and CR are not valid in XML. The code path through the XML serializers was adjusted in #20197 to raise a ValueError for these characters, but we didn't cover the syndication app, which also uses SimplerXMLGenerator.

We closed the report since it involves unsanitized user input, but we could raise a nice ValueError (or subclass) to prevent silently writing invalid XML documents.

Thanks sy2n0 for the report.

Change History (5)

comment:1 by Jacob Walls, 3 weeks ago

Has patch: set

comment:2 by Mike Edmunds, 3 weeks ago

Triage Stage: UnreviewedAccepted

comment:3 by Natalia Bidart, 3 weeks ago

Triage Stage: AcceptedReady for checkin

comment:4 by Jacob Walls <jacobtylerwalls@…>, 3 weeks ago

Resolution: fixed
Status: assignedclosed

In 67c4075:

Fixed #37183 -- Prevented writing control characters into XML attributes.

SimplerXMLGenerator already rejected control characters (unsupported
in XML 1.0) in element content, but attribute values were written
unchecked, so unsanitized input could still produce an unparseable
XML document. The existing check now runs over attribute values in
startElement(). This covers both syndication feeds, where item data
may flow into attributes such as Atom category terms, and the XML
serializer, which wraps the error to identify the offending object.

comment:5 by Jacob Walls <jacobtylerwalls@…>, 3 weeks ago

In aa8949b8:

[6.1.x] Fixed #37183 -- Prevented writing control characters into XML attributes.

SimplerXMLGenerator already rejected control characters (unsupported
in XML 1.0) in element content, but attribute values were written
unchecked, so unsanitized input could still produce an unparseable
XML document. The existing check now runs over attribute values in
startElement(). This covers both syndication feeds, where item data
may flow into attributes such as Atom category terms, and the XML
serializer, which wraps the error to identify the offending object.

Backport of 67c407585ccdc01b76d78e33c082f23d46346747 from main.

Note: See TracTickets for help on using tickets.
Back to Top