Skip to content

gh-115133: Fix tests for XMLPullParser with Expat 2.6.0#115164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
serhiy-storchaka merged 2 commits into from
Feb 11, 2024
Merged

gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 #115164

serhiy-storchaka merged 2 commits into from
Feb 11, 2024

Conversation

@serhiy-storchaka
Copy link
Member

@serhiy-storchakaserhiy-storchaka commented Feb 8, 2024
edited by bedevere-app bot
Loading

Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive.

@serhiy-storchaka
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0
e27eafb
Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive.
@serhiy-storchakaserhiy-storchaka added tests Tests in the Lib/test dir needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Feb 8, 2024
@bedevere-appbedevere-appbot mentioned this pull request Feb 8, 2024
Closed
@lazka
Copy link
Contributor

lazka commented Feb 10, 2024
edited
Loading

It stills fails here with this patch applied:

FAIL: test_simple_xml_chunk_8 (test.test_xml_etree.XMLPullParserTest.test_simple_xml_chunk_8) ---------------------------------------------------------------------- Traceback (most recent call last): File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1438, in test_simple_xml_chunk_8 self.test_simple_xml(chunk_size=8) File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1418, in test_simple_xml self.assert_event_tags(parser, [('end', 'element')]) File "D:\a\cpython-mingw\cpython-mingw\Lib\test\test_xml_etree.py", line 1405, in assert_event_tags self.assertEqual([(action, elem.tag) for action, elem in events], AssertionError: Lists differ: [] != [('end', 'element')] Second list contains 1 additional elements. First extra element 0: ('end', 'element') - [] + [('end', 'element')] 
> python3 -c "import pyexpat; print(pyexpat.version_info)" (2, 6, 0)

@serhiy-storchaka
Copy link
MemberAuthor

serhiy-storchaka commented Feb 10, 2024

What is the smallest value of chunk_size with which the test would pass?

@lazka
Copy link
Contributor

lazka commented Feb 10, 2024
edited
Loading

chunk_size=22 is the smallest value that works on my machine.

serhiy-storchaka
serhiy-storchaka commented Feb 10, 2024
View reviewed changes
@serhiy-storchaka
Copy link
MemberAuthor

serhiy-storchaka commented Feb 10, 2024

Thank you for testing @lazka.

@serhiy-storchakaserhiy-storchaka merged commit 4a08e7b into python:mainFeb 11, 2024
@miss-islington-app
Copy link

miss-islington-appbot commented Feb 11, 2024

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12.
🐍🍒⛏🤖

@serhiy-storchakaserhiy-storchaka deleted the test-etree-xmlpullparser-expat-2.6.0 branch February 11, 2024 10:08
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 11, 2024
@serhiy-storchaka@miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
5cffa94
…GH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-appbot commented Feb 11, 2024

GH-115288 is a backport of this pull request to the 3.12 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.12 only security fixes label Feb 11, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 11, 2024
@serhiy-storchaka@miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
f2eebf3
…GH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-appbot commented Feb 11, 2024

GH-115289 is a backport of this pull request to the 3.11 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.11 only security fixes label Feb 11, 2024
@serhiy-storchakaserhiy-storchaka mentioned this pull request Feb 11, 2024
Closed
serhiy-storchaka added a commit that referenced this pull request Feb 11, 2024
@miss-islington@serhiy-storchaka
[3.12]gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
c4fa79b
…5164) (GH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
serhiy-storchaka added a commit that referenced this pull request Feb 11, 2024
@miss-islington@serhiy-storchaka
[3.11]gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
3501eca
…5164) (GH-115289) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@hartworkhartwork mentioned this pull request Feb 12, 2024
Merged
13 tasks
fsc-eriker pushed a commit to fsc-eriker/cpython that referenced this pull request Feb 14, 2024
@serhiy-storchaka@fsc-eriker
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
0d01a88
…GH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive.
@hartworkhartwork mentioned this pull request Feb 14, 2024
Closed
28 tasks
@hartworkhartwork mentioned this pull request Feb 14, 2024
Merged
@miss-islington-app
Copy link

miss-islington-appbot commented Feb 15, 2024

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-appbot commented Feb 15, 2024

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-appbot commented Feb 15, 2024

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-appbot commented Feb 15, 2024

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 4a08e7b3431cd32a0daf22a33421cd3035343dc4 3.8

@miss-islington-app
Copy link

miss-islington-appbot commented Feb 15, 2024

Sorry, @serhiy-storchaka, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 4a08e7b3431cd32a0daf22a33421cd3035343dc4 3.9

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka@miss-islington
pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (python…
81d0755
…GH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-appbot commented Feb 15, 2024

GH-115525 is a backport of this pull request to the 3.10 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.10 only security fixes label Feb 15, 2024
sethmlarson pushed a commit to sethmlarson/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka@sethmlarson
[3.9]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
cd1d5ea
…ythonGH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
sethmlarson pushed a commit to sethmlarson/cpython that referenced this pull request Feb 15, 2024
@serhiy-storchaka@sethmlarson
[3.8]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
c9672ea
…ythonGH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@sethmlarson
Copy link
Contributor

sethmlarson commented Feb 15, 2024

Created backports for 3.9 and 3.8 manually:

pablogsal pushed a commit that referenced this pull request Feb 19, 2024
@miss-islington@serhiy-storchaka
[3.10]gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-11…
d9c79e1
…5164) (#115525) gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
8efd73c
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
b2c5c9e
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 19, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
f92fdcf
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@Bill-SommerfeldBill-Sommerfeld mentioned this pull request Feb 20, 2024
Closed
ambv pushed a commit that referenced this pull request Feb 21, 2024
@sethmlarson@serhiy-storchaka
[3.8]gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164
366f315
) (GH-115536) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Feb 21, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
7d3cf00
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
e6aeef3
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
76ea190
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to naveen521kk/cpython that referenced this pull request Jul 11, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
95790f9
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
naveen521kk pushed a commit to msys2-contrib/cpython-mingw that referenced this pull request Aug 5, 2024
@miss-islington@serhiy-storchaka@naveen521kk
[3.12]pythongh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (p…
ad679e5
…ythonGH-115164) (pythonGH-115288) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@edmorleyedmorley mentioned this pull request Oct 10, 2024
Open
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@hartworkhartworkhartwork approved these changes

@Snild-SonySnild-SonySnild-Sony approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@serhiy-storchakaserhiy-storchaka

Labels

testsTests in the Lib/test dir

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@serhiy-storchaka@lazka@sethmlarson@hartwork@Snild-Sony@hugovk