-
Notifications
You must be signed in to change notification settings - Fork 619
Expand file tree
/
Copy pathCVE-2026-41066.patch
More file actions
102 lines (93 loc) · 6.1 KB
/
CVE-2026-41066.patch
File metadata and controls
102 lines (93 loc) · 6.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
From 034dfbac902baa560423f1268dedf74e6730573a Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Wed, 29 Apr 2026 09:37:00 +0000
Subject: [PATCH] LP#2146291: Set resolve_entities='internal' as default for
parser subclasses; update iterparse signature and docs accordingly.
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/lxml/lxml/commit/ab431ea0b9a7357d968f1d1c5c614649e9aaf358.patch
---
src/lxml/iterparse.pxi | 11 +++++++----
src/lxml/parser.pxi | 10 +++++-----
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
index a7299da..52d0ea7 100644
--- a/src/lxml/iterparse.pxi
+++ b/src/lxml/iterparse.pxi
@@ -6,7 +6,8 @@ cdef class iterparse:
u"""iterparse(self, source, events=("end",), tag=None, \
attribute_defaults=False, dtd_validation=False, \
load_dtd=False, no_network=True, remove_blank_text=False, \
- remove_comments=False, remove_pis=False, encoding=None, \
+ compact=True, resolve_entities='internal', remove_comments=False, \
+ remove_pis=False, strip_cdata=True, encoding=None, \
html=False, recover=None, huge_tree=False, schema=None)
Incremental parser.
@@ -42,9 +43,11 @@ cdef class iterparse:
- remove_blank_text: discard blank text nodes
- remove_comments: discard comments
- remove_pis: discard processing instructions
- - strip_cdata: replace CDATA sections by normal text content (default: True)
+ - strip_cdata: replace CDATA sections by normal text content (default:
+ True for XML, ignored otherwise)
- compact: safe memory for short text content (default: True)
- - resolve_entities: replace entities by their text value (default: True)
+ - resolve_entities: replace entities by their text value
+ (default: 'internal' only)
- huge_tree: disable security restrictions and support very deep trees
and very long text content (only affects libxml2 2.7+)
- html: parse input as HTML (default: XML)
@@ -67,7 +70,7 @@ cdef class iterparse:
def __init__(self, source, events=(u"end",), *, tag=None,
attribute_defaults=False, dtd_validation=False,
load_dtd=False, no_network=True, remove_blank_text=False,
- compact=True, resolve_entities=True, remove_comments=False,
+ compact=True, resolve_entities='internal', remove_comments=False,
remove_pis=False, strip_cdata=True, encoding=None,
html=False, recover=None, huge_tree=False, collect_ids=True,
XMLSchema schema=None):
diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
index 068cdd3..c00c524 100644
--- a/src/lxml/parser.pxi
+++ b/src/lxml/parser.pxi
@@ -1478,7 +1478,7 @@ _XML_DEFAULT_PARSE_OPTIONS = (
)
cdef class XMLParser(_FeedParser):
- u"""XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, schema: XMLSchema =None, huge_tree=False, remove_blank_text=False, resolve_entities=True, remove_comments=False, remove_pis=False, strip_cdata=True, collect_ids=True, target=None, compact=True)
+ u"""XMLParser(self, encoding=None, attribute_defaults=False, dtd_validation=False, load_dtd=False, no_network=True, ns_clean=False, recover=False, schema: XMLSchema =None, huge_tree=False, remove_blank_text=False, resolve_entities='internal', remove_comments=False, remove_pis=False, strip_cdata=True, collect_ids=True, target=None, compact=True)
The XML parser.
@@ -1508,7 +1508,7 @@ cdef class XMLParser(_FeedParser):
- strip_cdata - replace CDATA sections by normal text content (default: True)
- compact - save memory for short text content (default: True)
- collect_ids - use a hash table of XML IDs for fast access (default: True, always True with DTD validation)
- - resolve_entities - replace entities by their text value (default: True)
+ - resolve_entities - replace entities by their text value (default: 'internal')
- huge_tree - disable security restrictions and support very deep trees
and very long text content (only affects libxml2 2.7+)
@@ -1525,7 +1525,7 @@ cdef class XMLParser(_FeedParser):
def __init__(self, *, encoding=None, attribute_defaults=False,
dtd_validation=False, load_dtd=False, no_network=True,
ns_clean=False, recover=False, XMLSchema schema=None,
- huge_tree=False, remove_blank_text=False, resolve_entities=True,
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal',
remove_comments=False, remove_pis=False, strip_cdata=True,
collect_ids=True, target=None, compact=True):
cdef int parse_options
@@ -1594,7 +1594,7 @@ cdef class ETCompatXMLParser(XMLParser):
u"""ETCompatXMLParser(self, encoding=None, attribute_defaults=False, \
dtd_validation=False, load_dtd=False, no_network=True, \
ns_clean=False, recover=False, schema=None, \
- huge_tree=False, remove_blank_text=False, resolve_entities=True, \
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal', \
remove_comments=True, remove_pis=True, strip_cdata=True, \
target=None, compact=True)
@@ -1608,7 +1608,7 @@ cdef class ETCompatXMLParser(XMLParser):
def __init__(self, *, encoding=None, attribute_defaults=False,
dtd_validation=False, load_dtd=False, no_network=True,
ns_clean=False, recover=False, schema=None,
- huge_tree=False, remove_blank_text=False, resolve_entities=True,
+ huge_tree=False, remove_blank_text=False, resolve_entities='internal',
remove_comments=True, remove_pis=True, strip_cdata=True,
target=None, compact=True):
XMLParser.__init__(self,
--
2.45.4