Opened 52 minutes ago
Last modified 39 minutes ago
#37183 assigned Cleanup/optimization
Prevent writing control characters into XML attributes in syndication feeds
| Reported by: | Jacob Walls | Owned by: | Jacob Walls |
|---|---|---|---|
| Component: | contrib.syndication | Version: | dev |
| Severity: | Normal | Keywords: | not-security, control |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The Security Team received a report about constructing a syndication feed item from invalid user input (a control character) breaking an entire feed by causing the XML document to be unparseable.
Control characters other than HT, LF, and CR are not valid in XML. The code path through the XML serializers was adjusted in #20197 to raise a ValueError for these characters, but we didn't cover the syndication app, which also uses SimplerXMLGenerator.
We closed the report since it involves unsanitized user input, but we could raise a nice ValueError (or subclass) to prevent silently writing invalid XML documents.
Thanks sy2n0 for the report.
Note:
See TracTickets
for help on using tickets.
PR