Brad Bishop | 6f8dcde | 2018-10-16 10:47:12 +0800 | [diff] [blame] | 1 | From 3ffc80959f01f9fde548f1632694b9f950c2dd7c Mon Sep 17 00:00:00 2001 |
| 2 | From: Christian Heimes <christian@python.org> |
| 3 | Date: Tue, 18 Sep 2018 15:13:09 +0200 |
| 4 | Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree |
| 5 | (GH-9146) (GH-9394) |
| 6 | |
| 7 | The C accelerated _elementtree module now initializes hash randomization |
| 8 | salt from _Py_HashSecret instead of libexpat's default CPRNG. |
| 9 | |
| 10 | Signed-off-by: Christian Heimes <christian@python.org> |
| 11 | |
| 12 | https://bugs.python.org/issue34623. |
| 13 | (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) |
| 14 | |
| 15 | Co-authored-by: Christian Heimes <christian@python.org> |
| 16 | |
| 17 | |
| 18 | |
| 19 | https://bugs.python.org/issue34623 |
| 20 | |
| 21 | Upstream-Status: Backport |
| 22 | |
| 23 | Fix CVE-2018-14647 |
| 24 | |
| 25 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| 26 | --- |
| 27 | Include/pyexpat.h | 4 +++- |
| 28 | Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++ |
| 29 | Modules/_elementtree.c | 5 +++++ |
| 30 | Modules/pyexpat.c | 5 +++++ |
| 31 | 4 files changed, 15 insertions(+), 1 deletion(-) |
| 32 | create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst |
| 33 | |
| 34 | diff --git a/Include/pyexpat.h b/Include/pyexpat.h |
| 35 | index 5340ef5..3fc5fa5 100644 |
| 36 | --- a/Include/pyexpat.h |
| 37 | +++ b/Include/pyexpat.h |
| 38 | @@ -3,7 +3,7 @@ |
| 39 | |
| 40 | /* note: you must import expat.h before importing this module! */ |
| 41 | |
| 42 | -#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" |
| 43 | +#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" |
| 44 | #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" |
| 45 | |
| 46 | struct PyExpat_CAPI |
| 47 | @@ -43,6 +43,8 @@ struct PyExpat_CAPI |
| 48 | XML_Parser parser, XML_UnknownEncodingHandler handler, |
| 49 | void *encodingHandlerData); |
| 50 | void (*SetUserData)(XML_Parser parser, void *userData); |
| 51 | + /* might be none for expat < 2.1.0 */ |
| 52 | + int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); |
| 53 | /* always add new stuff to the end! */ |
| 54 | }; |
| 55 | |
| 56 | diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst |
| 57 | new file mode 100644 |
| 58 | index 0000000..31ad92e |
| 59 | --- /dev/null |
| 60 | +++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst |
| 61 | @@ -0,0 +1,2 @@ |
| 62 | +The C accelerated _elementtree module now initializes hash randomization |
| 63 | +salt from _Py_HashSecret instead of libexpat's default CSPRNG. |
| 64 | diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c |
| 65 | index 1d316a1..a19cbf7 100644 |
| 66 | --- a/Modules/_elementtree.c |
| 67 | +++ b/Modules/_elementtree.c |
| 68 | @@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw) |
| 69 | PyErr_NoMemory(); |
| 70 | return NULL; |
| 71 | } |
| 72 | + /* expat < 2.1.0 has no XML_SetHashSalt() */ |
| 73 | + if (EXPAT(SetHashSalt) != NULL) { |
| 74 | + EXPAT(SetHashSalt)(self->parser, |
| 75 | + (unsigned long)_Py_HashSecret.prefix); |
| 76 | + } |
| 77 | |
| 78 | ALLOC(sizeof(XMLParserObject), "create expatparser"); |
| 79 | |
| 80 | diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c |
| 81 | index 2b4d312..1f8c0d7 100644 |
| 82 | --- a/Modules/pyexpat.c |
| 83 | +++ b/Modules/pyexpat.c |
| 84 | @@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void) |
| 85 | capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler; |
| 86 | capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler; |
| 87 | capi.SetUserData = XML_SetUserData; |
| 88 | +#if XML_COMBINED_VERSION >= 20100 |
| 89 | + capi.SetHashSalt = XML_SetHashSalt; |
| 90 | +#else |
| 91 | + capi.SetHashSalt = NULL; |
| 92 | +#endif |
| 93 | |
| 94 | /* export using capsule */ |
| 95 | capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); |
| 96 | -- |
| 97 | 2.7.4 |
| 98 | |