You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from python/cpython#115138 (comment) .
- Please treat as a security fix related to CVE-2023-52425.
(cherry picked from commit 6a95676bb526261434dd068d6c49927c44d24a9b)
(cherry picked from commit 73807eb634315f70a464a18feaae33d9e065de09)
(cherry picked from commit eda2963378a3c292cf6bb202bb00e94e46ee6d90)
---------
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
CPython-sync-commit-latest: 0a01ed6c2a116bd3e174fce33c21d84d650de569
0 commit comments