Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash: xml.etree.ElementTree.Element.find* with an evil tag's str.__eq__ #126037

Open
picnixz opened this issue Oct 27, 2024 · 0 comments
Open

Crash: xml.etree.ElementTree.Element.find* with an evil tag's str.__eq__ #126037

picnixz opened this issue Oct 27, 2024 · 0 comments
Assignees
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Contributor

picnixz commented Oct 27, 2024

Crash report

What happened?

Similar to #126033, the following crashes:

import xml.etree.ElementTree as ET

class EvilTag(str):
    def __eq__(self, other):
        base.clear()
        return False

base = ET.Element('a')
base.append(ET.Element(EvilTag('x')))
base.find('a')

Attacked code:

cpython/Modules/_elementtree.c

Lines 1264 to 1275 in dc76a4a

for (i = 0; i < self->extra->length; i++) {
PyObject* item = self->extra->children[i];
int rc;
assert(Element_Check(st, item));
Py_INCREF(item);
rc = PyObject_RichCompareBool(((ElementObject*)item)->tag, path, Py_EQ);
if (rc > 0)
return item;
Py_DECREF(item);
if (rc < 0)
return NULL;
}

The findall and findtext methods also suffer from the same vulnerability. I haven't tried to attack Element.iterfind yet since it delegates to the Python function ElementPath.iterfind instead.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

@picnixz picnixz added extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 27, 2024
@picnixz picnixz self-assigned this Oct 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant