Crash report
What happened?
Similar to #126033, the following crashes:
import xml.etree.ElementTree as ET
class EvilTag(str):
def __eq__(self, other):
base.clear()
return False
base = ET.Element('a')
base.append(ET.Element(EvilTag('x')))
base.find('a')Attacked code:
|
for (i = 0; i < self->extra->length; i++) { |
|
PyObject* item = self->extra->children[i]; |
|
int rc; |
|
assert(Element_Check(st, item)); |
|
Py_INCREF(item); |
|
rc = PyObject_RichCompareBool(((ElementObject*)item)->tag, path, Py_EQ); |
|
if (rc > 0) |
|
return item; |
|
Py_DECREF(item); |
|
if (rc < 0) |
|
return NULL; |
|
} |
The findall and findtext methods also suffer from the same vulnerability. I haven't tried to attack Element.iterfind yet since it delegates to the Python function ElementPath.iterfind instead.
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
Crash report
What happened?
Similar to #126033, the following crashes:
Attacked code:
cpython/Modules/_elementtree.c
Lines 1264 to 1275 in dc76a4a
The
findallandfindtextmethods also suffer from the same vulnerability. I haven't tried to attackElement.iterfindyet since it delegates to the Python functionElementPath.iterfindinstead.CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
xml.etree.ElementTree.Element.find*when concurrent mutations happen #127964xml.etree.ElementTree.Element.find*when current mutations happen (#127964) #131931xml.etree.ElementTree.Element.find*when concurrent mutations happen (#127964) #131932