Skip to content

Replaced xml.etree.ElementTree#5565

Merged
radarhere merged 4 commits intopython-pillow:masterfrom
radarhere:xml
Jun 30, 2021
Merged

Replaced xml.etree.ElementTree#5565
radarhere merged 4 commits intopython-pillow:masterfrom
radarhere:xml

Conversation

@radarhere
Copy link
Copy Markdown
Member

@radarhere radarhere commented Jun 30, 2021

https://docs.python.org/3/library/xml.etree.elementtree.html

Warning The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

xml.etree.ElementTree is in use in getexif() and now getxmp(). So the earliest Pillow version affected is 7.2.0

The Python docs later recommend defusedxml.

The defusedxml Package
defusedxml is a pure Python package with modified subclasses of all stdlib XML parsers that prevent any potentially malicious operation. Use of this package is recommended for any server code that parses untrusted XML data.

So this PR replaces xml.etree.ElementTree in getxmp() with defusedxml.ElementTree. If it is not installed, an empty dictionary is returned instead and a warning is raised.

The use in getexif() is simpler, so I have just used re there instead.

@radarhere radarhere merged commit a8c042b into python-pillow:master Jun 30, 2021
@radarhere radarhere deleted the xml branch June 30, 2021 02:33
This was referenced Jul 1, 2021
Closed
Closed
Closed
@dkreynin dkreynin mentioned this pull request Apr 4, 2022
Closed
@radarhere radarhere mentioned this pull request Sep 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@radarhere