search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 351 forks source link

plistlib module raises ValueError: year 0 is out of range #3620

Closed joachimmetz closed 3 years ago

joachimmetz commented 3 years ago 
********************************** Warning: 0 **********************************
           Message : unable to process path specification with error: year 0
                     is out of range
      Parser chain : 
Path specification : type: OS, location:
                     853946-com.apple.security.KCN.plist
--------------------------------------------------------------------------------
(Pdb) bt
  plaso/engine/single_process.py(86)_ProcessPathSpec()
-> extraction_worker.ProcessPathSpec(
  plaso/engine/worker.py(881)ProcessPathSpec()
-> self._ProcessFileEntry(mediator, file_entry)
  plaso/engine/worker.py(684)_ProcessFileEntry()
-> self._ProcessFileEntryDataStream(mediator, file_entry, data_stream)
  plaso/engine/worker.py(776)_ProcessFileEntryDataStream()
-> self._ExtractContentFromDataStream(
  plaso/engine/worker.py(364)_ExtractContentFromDataStream()
-> self._event_extractor.ParseDataStream(
  plaso/engine/extractors.py(292)ParseDataStream()
-> self._ParseFileEntryWithParsers(
  plaso/engine/extractors.py(254)_ParseFileEntryWithParsers()
-> parse_result = self._ParseFileEntryWithParser(
  plaso/engine/extractors.py(192)_ParseFileEntryWithParser()
-> parser.Parse(parser_mediator, file_object)
  plaso/parsers/interface.py(285)Parse()
-> self.ParseFileObject(parser_mediator, file_object)
  plaso/parsers/plist.py(135)ParseFileObject()
-> top_level_object = plistlib.loads(plist_data)
  /usr/lib64/python3.9/plistlib.py(883)loads()
-> return load(fp, fmt=fmt, dict_type=dict_type)
  /usr/lib64/python3.9/plistlib.py(875)load()
-> return p.parse(fp)
  /usr/lib64/python3.9/plistlib.py(177)parse()
-> self.parser.ParseFile(fileobj)
  /builddir/build/BUILD/Python-3.9.5/Modules/pyexpat.c(459)EndElement()
  /usr/lib64/python3.9/plistlib.py(195)handle_end_element()
-> handler()
  /usr/lib64/python3.9/plistlib.py(271)end_date()
-> self.add_object(_date_from_string(self.get_data()))
> /usr/lib64/python3.9/plistlib.py(143)_date_from_string()
-> return datetime.datetime(*lst)
joachimmetz commented 3 years ago 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>absentCircleWithNoReason</key>
    <false/>
    <key>applicationDate</key>
    <date>0000-12-30T00:00:00Z</date>
    <key>lastCircleStatus</key>
    <integer>3</integer>
    <key>lastWritten</key>
    <date>2019-09-16T18:42:44Z</date>
    <key>pendingApplicationReminder</key>
    <date>4001-01-01T00:00:00Z</date>
    <key>pendingApplicationReminderInterval</key>
    <integer>86400</integer>
</dict>
</plist>
joachimmetz commented 3 years ago

Changing plist parser for now to catch ValueError and generate an extraction error. Long-term it might be good to have a plist parser that does not rely on the datetime module.