Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replaced xml.etree.ElementTree #5565

merged 4 commits into from Jun 30, 2021

Replaced xml.etree.ElementTree #5565

merged 4 commits into from Jun 30, 2021


Copy link

@radarhere radarhere commented Jun 30, 2021

Warning The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

xml.etree.ElementTree is in use in getexif() and now getxmp(). So the earliest Pillow version affected is 7.2.0

The Python docs later recommend defusedxml.

The defusedxml Package
defusedxml is a pure Python package with modified subclasses of all stdlib XML parsers that prevent any potentially malicious operation. Use of this package is recommended for any server code that parses untrusted XML data.

So this PR replaces xml.etree.ElementTree in getxmp() with defusedxml.ElementTree. If it is not installed, an empty dictionary is returned instead and a warning is raised.

The use in getexif() is simpler, so I have just used re there instead.

@radarhere radarhere merged commit a8c042b into python-pillow:master Jun 30, 2021
50 checks passed
@radarhere radarhere deleted the xml branch Jun 30, 2021
@radarhere radarhere mentioned this pull request Jul 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant