search

python / cpython

The Python programming language
https://www.python.org
Other
62.77k stars 30.08k forks source link

ServerProxy should not make requests with malformed XML #75092

Open e459ed98-85c2-4213-9c49-35de866f82bd opened 7 years ago

e459ed98-85c2-4213-9c49-35de866f82bd commented 7 years ago
BPO 30909
Nosy @serhiy-storchaka
Superseder
  • bpo-7727: xmlrpc library returns string which contain null ( \x00 )
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields: ```python assignee = None closed_at = None created_at = labels = ['expert-XML', 'type-bug', '3.7'] title = 'ServerProxy should not make requests with malformed XML' updated_at = user = 'https://bugs.python.org/AlexCorcoles' ``` bugs.python.org fields: ```python activity = actor = 'serhiy.storchaka' assignee = 'none' closed = False closed_date = None closer = None components = ['XML'] creation = creator = 'Alex Corcoles' dependencies = [] files = [] hgrepos = [] issue_num = 30909 keywords = [] message_count = 2.0 messages = ['298226', '298233'] nosy_count = 2.0 nosy_names = ['serhiy.storchaka', 'Alex Corcoles'] pr_nums = [] priority = 'normal' resolution = 'duplicate' stage = None status = 'open' superseder = '7727' type = 'behavior' url = 'https://bugs.python.org/issue30909' versions = ['Python 2.7', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7'] ```

    e459ed98-85c2-4213-9c49-35de866f82bd commented 7 years ago

    https://docs.python.org/3.7/library/xmlrpc.client.html says:

    """ When passing strings, characters special to XML such as \<, >, and & will be automatically escaped. However, it’s the caller’s responsibility to ensure that the string is free of characters that aren’t allowed in XML, such as the control characters with ASCII values between 0 and 31 (except, of course, tab, newline and carriage return); failing to do this will result in an XML-RPC request that isn’t well-formed XML. If you have to pass arbitrary bytes via XML-RPC, use bytes or bytearray classes or the Binary wrapper class described below. """

    The XML-RPC spec at http://xmlrpc.scripting.com/spec.html says:

    """ What characters are allowed in strings? Non-printable characters? Null characters? Can a "string" be used to hold an arbitrary chunk of binary data?

    Any characters are allowed in a string except \< and &, which are encoded as < and &. A string can be used to encode binary data. """

    I believe strings should be XML-escaped correctly or at the very least, an assertion should be made to ensure no malformed XML is ever generated.

    serhiy-storchaka commented 7 years ago

    This looks like a duplicate of bpo-7727.