#37183 closed Cleanup/optimization (fixed)
Prevent writing control characters into XML attributes in syndication feeds
| Reported by: | Jacob Walls | Owned by: | Jacob Walls |
|---|---|---|---|
| Component: | contrib.syndication | Version: | dev |
| Severity: | Normal | Keywords: | not-security, control |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The Security Team received a report about constructing a syndication feed item from invalid user input (a control character) breaking an entire feed by causing the XML document to be unparseable.
Control characters other than HT, LF, and CR are not valid in XML. The code path through the XML serializers was adjusted in #20197 to raise a ValueError for these characters, but we didn't cover the syndication app, which also uses SimplerXMLGenerator.
We closed the report since it involves unsanitized user input, but we could raise a nice ValueError (or subclass) to prevent silently writing invalid XML documents.
Thanks sy2n0 for the report.
Change History (5)
comment:1 by , 3 weeks ago
| Has patch: | set |
|---|
comment:2 by , 3 weeks ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 3 weeks ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
PR