Namespace separator ':' incompatible with Expat >=2.4.5 <2.4.7 security fixes

[hartwork]

Hi @martinblech,

it was brought to my attention that xmltodict and Expat >=2.4.5 are not compatible. The incompatibility has two halves:

• xmltodict is using : (colon) for a namespace separator at multiple places, for instance:

  # git --no-pager grep "namespace_separator='"
  xmltodict.py:                 namespace_separator=':',
  xmltodict.py:          namespace_separator=':', disable_entities=True, process_comments=False, **kwargs):
  xmltodict.py:          namespace_separator=':',

• Expat disallows use of namespace separator characters in xmlns attribute values for security since 2.4.5 and PR [CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs libexpat/libexpat#561.

The API docs of XML_ParserCreateNS say:

This means that you should pick a character for sep that can't be part of an URI.

Colon can appear in a URI (RFC 3986), so a colon cannot be used as a namespace separator or there will be false positives. Use of " " (space) or "\n" (line feed) would work.

Would you be up for picking a different character for a namespace separator?

Thanks and best, Sebastian

CC libwbxml/libwbxml#76
CC libexpat/libexpat#572 (comment)

[sebageek]

To reproduce this error take a recent version of libexpat1 (e.g. libexpat1:amd64 with 2.2.5-3ubuntu0.4) and run xmltodict.parse("<foo></foo>", process_namespaces=True), e.g.:

root@70ce73d84773:/# dpkg -l libexpat1|grep ^ii
ii  libexpat1:amd64 2.2.5-3ubuntu0.4 amd64        XML parsing C library - runtime library
root@70ce73d84773:/# python3 -c 'import xmltodict; print(xmltodict.parse("<foo></foo>", process_namespaces=True))'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/var/lib/openstack/lib/python3.6/site-packages/xmltodict.py", line 327, in parse
    parser.Parse(xml_input, True)
xml.parsers.expat.ExpatError: out of memory: line 1, column 0

For everyone facing this problem and cannot wait for a patched Version of xmltodict a workaround is to provide a different namespace_separator yourself, like @hartwork suggests (e.g. namespace_separator=' '). This parameter is exposed by parse():

root@70ce73d84773:/# python3 -c 'import xmltodict; print(xmltodict.parse("<foo></foo>", process_namespaces=True, namespace_separator=" "))'
OrderedDict([('foo', None)])

I'd still be in favor of providing a different default value for this in xmltodict though, so parsing would work out of the box again with process_namespaces=True. :)

[sktzofrenic]

Seems unlikely that this will get fixed due to the lack of movement in this project unfortunately. I was able to just fork the project and use the fix provided by @hartwork in pr #290 and things are back to normal.

[hartwork]

Closing in favor of libexpat/libexpat#577 .