Skip to content
Permalink
Browse files

Add NULL check after native call to __html__ method

If the method raises an exception, PyObject_CallObject() returns NULL,
but the code didn't check for that, which led to a segfault.

Fixes #108
  • Loading branch information...
mthuurne authored and davidism committed Feb 18, 2019
1 parent 0b52aee commit eb9c1d434ba7a904410b954426800fc963986d56
Showing with 24 additions and 0 deletions.
  1. +3 −0 src/markupsafe/_speedups.c
  2. +21 −0 tests/test_exception_custom_html.py
@@ -311,6 +311,9 @@ escape(PyObject *self, PyObject *text)
if (html) {
s = PyObject_CallObject(html, NULL);
Py_DECREF(html);
if (s == NULL) {
return NULL;
}
/* Convert to Markup object */
rv = PyObject_CallFunctionObjArgs(markup, (PyObject*)s, NULL);
Py_DECREF(s);
@@ -0,0 +1,21 @@
# -*- coding: utf-8 -*-
import pytest

from markupsafe import escape


class CustomHtmlThatRaises(object):
def __html__(self):
raise ValueError(123)


def test_exception_custom_html():
"""Checks whether exceptions in custom __html__ implementations are
propagated correctly.
There was a bug in the native implementation at some point:
https://github.com/pallets/markupsafe/issues/108
"""
obj = CustomHtmlThatRaises()
with pytest.raises(ValueError):
escape(obj)

0 comments on commit eb9c1d4

Please sign in to comment.
You can’t perform that action at this time.