Transplant from main repo d6c197edd99b: Fixes Issue #14234: CVE-2012-0876:...

Transplant from main repo d6c197edd99b: Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes

Transplant from main repo d6c197edd99b: Fixes Issue #14234: CVE-2012-0876:...
Transplant from main repo d6c197edd99b: Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes
a5d729a7 · Georg Brandl · 48605a65 · a5d729a7 · a5d729a7 · a5d729a7
Commit a5d729a7 authored Mar 15, 2012 by Georg Brandl
5 changed files
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -7,12 +7,20 @@ What's New in Python 3.2.3?
 *Release date: XX-XXX-2012*
-Core and Builtins
-----------------
+What's New in Python 3.2.3 release candidate 2?
+===============================================
+*Release date: XX-Mar-2012*
 Library
 -------
+- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
+  table internal to the pyexpat module's copy of the expat library to avoid a
+  denial of service due to hash collisions.  Patch by David Malcolm with some
+  modifications by the expat project.
 - Issue #6884: Fix long-standing bugs with MANIFEST.in parsing in distutils
  on Windows.

--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -883,6 +883,15 @@ XMLPARSEAPI(int)
 XML_SetParamEntityParsing(XML_Parser parser,
                          enum XML_ParamEntityParsing parsing);
+/* Sets the hash salt to use for internal hash calculations.
+   Helps in preventing DoS attacks based on predicting hash
+   function behavior. This must be called before parsing is started.
+   Returns 1 if successful, 0 when called after parsing has started.
+*/
+XMLPARSEAPI(int)
+XML_SetHashSalt(XML_Parser parser,
+                unsigned long hash_salt);
 /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
   XML_GetErrorCode returns information about the error.
 */

--- a/Modules/expat/pyexpatns.h
+++ b/Modules/expat/pyexpatns.h
@@ -97,6 +97,7 @@
 #define XML_SetEntityDeclHandler        PyExpat_XML_SetEntityDeclHandler
 #define XML_SetExternalEntityRefHandler PyExpat_XML_SetExternalEntityRefHandler
 #define XML_SetExternalEntityRefHandlerArg  PyExpat_XML_SetExternalEntityRefHandlerArg
+#define XML_SetHashSalt                 PyExpat_XML_SetHashSalt
 #define XML_SetNamespaceDeclHandler     PyExpat_XML_SetNamespaceDeclHandler
 #define XML_SetNotationDeclHandler      PyExpat_XML_SetNotationDeclHandler
 #define XML_SetNotStandaloneHandler     PyExpat_XML_SetNotStandaloneHandler

--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -1150,6 +1150,8 @@ newxmlparseobject(char *encoding, char *namespace_separator, PyObject *intern)
    else {
        self->itself = XML_ParserCreate(encoding);
    }
+    XML_SetHashSalt(self->itself,
+                    (unsigned long)_Py_HashSecret.prefix);
    self->intern = intern;
    Py_XINCREF(self->intern);
    PyObject_GC_Track(self);