commit 394e55a9279d17240ef6fe85d3b4ea3fe7b6dff5
author Christian Heimes <christian@python.org> Mon Sep 24 14:38:37 2018 +0200
committer Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Mon Sep 24 05:38:37 2018 -0700
tree 2145116812df54659a7dd66f7b13d718472db531
parent ddc163df25191af5bf8000091dbf8f6500b1d7c9

[3.7] bpo-17239: Disable external entities in SAX parser (GH-9217) (GH-9511)



The SAX parser no longer processes general external entities by default
to increase security. Before, the parser created network connections
to fetch remote files or loaded local files from the file system for DTD
and entities.

Signed-off-by: Christian Heimes <christian@python.org>

https://bugs.python.org/issue17239.
(cherry picked from commit 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45)

Co-authored-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue17239

Lib/test/test_pulldom.py

diff --git a/Lib/test/test_pulldom.py b/Lib/test/test_pulldom.py
index 3d89e3a..6dc51e4 100644
--- a/Lib/test/test_pulldom.py
+++ b/Lib/test/test_pulldom.py
@@ -3,6 +3,7 @@
 import xml.sax
 
 from xml.sax.xmlreader import AttributesImpl
+from xml.sax.handler import feature_external_ges
 from xml.dom import pulldom
 
 from test.support import findfile
@@ -159,6 +160,12 @@
             self.fail(
                 "Ran out of events, but should have received END_DOCUMENT")
 
+    def test_external_ges_default(self):
+        parser = pulldom.parseString(SMALL_SAMPLE)
+        saxparser = parser.parser
+        ges = saxparser.getFeature(feature_external_ges)
+        self.assertEqual(ges, False)
+
 
 class ThoroughTestCase(unittest.TestCase):
     """Test the hard-to-reach parts of pulldom."""