Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replaced xml.etree.ElementTree #5565

merged 4 commits into from Jun 30, 2021


Copy link

Warning The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

xml.etree.ElementTree is in use in getexif() and now getxmp(). So the earliest Pillow version affected is 7.2.0

The Python docs later recommend defusedxml.

The defusedxml Package
defusedxml is a pure Python package with modified subclasses of all stdlib XML parsers that prevent any potentially malicious operation. Use of this package is recommended for any server code that parses untrusted XML data.

So this PR replaces xml.etree.ElementTree in getxmp() with defusedxml.ElementTree. If it is not installed, an empty dictionary is returned instead and a warning is raised.

The use in getexif() is simpler, so I have just used re there instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

1 participant