Fixes #229 - External entity loading disabled by default

Fixes CVE-2020-10799
deeplook · Mar 22, 2020 · d6d08c4 · d6d08c4
1 parent cb33349
commit d6d08c4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -3,6 +3,12 @@
 ChangeLog
 =========
 
+0.9.4 (2020-03-22)
+------------------
+
+- disabled external entity loading by default (#229 - CVE-2020-10799)
+
+
 0.9.3 (2019-11-02)
 ------------------
 

diff --git a/svglib/svglib.py b/svglib/svglib.py
@@ -1402,7 +1402,7 @@ def applyStyleOnShape(self, shape, node, only_explicit=False):
             shape.fillColor.alpha = shape.fillOpacity
 
 
-def svg2rlg(path, **kwargs):
+def svg2rlg(path, resolve_entities=False, **kwargs):
     "Convert an SVG file to an RLG Drawing object."
 
     # unzip .svgz file into .svg
@@ -1413,7 +1413,7 @@ def svg2rlg(path, **kwargs):
         path = path[:-1]
         unzipped = True
 
-    svg_root = load_svg_file(path)
+    svg_root = load_svg_file(path, resolve_entities=resolve_entities)
     if svg_root is None:
         return
 
@@ -1428,8 +1428,10 @@ def svg2rlg(path, **kwargs):
     return drawing
 
 
-def load_svg_file(path):
-    parser = etree.XMLParser(remove_comments=True, recover=True)
+def load_svg_file(path, resolve_entities=False):
+    parser = etree.XMLParser(
+        remove_comments=True, recover=True, resolve_entities=resolve_entities
+    )
     try:
         doc = etree.parse(path, parser=parser)
         svg_root = doc.getroot()