Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes

in the hash table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.

Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes
in the hash table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.
70c9c4dc · Gregory P. Smith · e7c8fdee · 373c7409 · 70c9c4dc · 70c9c4dc
Commit 70c9c4dc authored Mar 14, 2012 by Gregory P. Smith
5 changed files
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,11 @@ Core and Builtins
 Library
 -------
+- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
+  table internal to the pyexpat module's copy of the expat library to avoid a
+  denial of service due to hash collisions.  Patch by David Malcolm with some
+  modifications by the expat project.
 - Issue #14200: Idle shell crash on printing non-BMP unicode character.
 - Issue #12818: format address no longer needlessly \ escapes ()s in names when

--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -883,6 +883,15 @@ XMLPARSEAPI(int)
 XML_SetParamEntityParsing(XML_Parser parser,
                          enum XML_ParamEntityParsing parsing);
+/* Sets the hash salt to use for internal hash calculations.
+   Helps in preventing DoS attacks based on predicting hash
+   function behavior. This must be called before parsing is started.
+   Returns 1 if successful, 0 when called after parsing has started.
+*/
+XMLPARSEAPI(int)
+XML_SetHashSalt(XML_Parser parser,
+                unsigned long hash_salt);
 /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
   XML_GetErrorCode returns information about the error.
 */

--- a/Modules/expat/pyexpatns.h
+++ b/Modules/expat/pyexpatns.h
@@ -97,6 +97,7 @@
 #define XML_SetEntityDeclHandler        PyExpat_XML_SetEntityDeclHandler
 #define XML_SetExternalEntityRefHandler PyExpat_XML_SetExternalEntityRefHandler
 #define XML_SetExternalEntityRefHandlerArg  PyExpat_XML_SetExternalEntityRefHandlerArg
+#define XML_SetHashSalt                 PyExpat_XML_SetHashSalt
 #define XML_SetNamespaceDeclHandler     PyExpat_XML_SetNamespaceDeclHandler
 #define XML_SetNotationDeclHandler      PyExpat_XML_SetNotationDeclHandler
 #define XML_SetNotStandaloneHandler     PyExpat_XML_SetNotStandaloneHandler

--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -1156,6 +1156,8 @@ newxmlparseobject(char *encoding, char *namespace_separator, PyObject *intern)
    else {
        self->itself = XML_ParserCreate(encoding);
    }
+    XML_SetHashSalt(self->itself,
+                    (unsigned long)_Py_HashSecret.prefix);
    self->intern = intern;
    Py_XINCREF(self->intern);
    PyObject_GC_Track(self);