|
|
|
|
|
|
|
|
|
|
|
"""Defused xml.etree.ElementTree facade |
|
""" |
|
from __future__ import print_function, absolute_import |
|
|
|
import sys |
|
import warnings |
|
from xml.etree.ElementTree import ParseError |
|
from xml.etree.ElementTree import TreeBuilder as _TreeBuilder |
|
from xml.etree.ElementTree import parse as _parse |
|
from xml.etree.ElementTree import tostring |
|
|
|
from .common import PY3 |
|
|
|
if PY3: |
|
import importlib |
|
else: |
|
from xml.etree.ElementTree import XMLParser as _XMLParser |
|
from xml.etree.ElementTree import iterparse as _iterparse |
|
|
|
|
|
from .common import ( |
|
DTDForbidden, |
|
EntitiesForbidden, |
|
ExternalReferenceForbidden, |
|
_generate_etree_functions, |
|
) |
|
|
|
__origin__ = "xml.etree.ElementTree" |
|
|
|
|
|
def _get_py3_cls(): |
|
"""Python 3.3 hides the pure Python code but defusedxml requires it. |
|
|
|
The code is based on test.support.import_fresh_module(). |
|
""" |
|
pymodname = "xml.etree.ElementTree" |
|
cmodname = "_elementtree" |
|
|
|
pymod = sys.modules.pop(pymodname, None) |
|
cmod = sys.modules.pop(cmodname, None) |
|
|
|
sys.modules[cmodname] = None |
|
try: |
|
pure_pymod = importlib.import_module(pymodname) |
|
finally: |
|
|
|
sys.modules[pymodname] = pymod |
|
if cmod is not None: |
|
sys.modules[cmodname] = cmod |
|
else: |
|
sys.modules.pop(cmodname, None) |
|
|
|
etree_pkg = sys.modules["xml.etree"] |
|
if pymod is not None: |
|
etree_pkg.ElementTree = pymod |
|
elif hasattr(etree_pkg, "ElementTree"): |
|
del etree_pkg.ElementTree |
|
|
|
_XMLParser = pure_pymod.XMLParser |
|
_iterparse = pure_pymod.iterparse |
|
|
|
pure_pymod.ParseError = ParseError |
|
|
|
return _XMLParser, _iterparse |
|
|
|
|
|
if PY3: |
|
_XMLParser, _iterparse = _get_py3_cls() |
|
|
|
|
|
_sentinel = object() |
|
|
|
|
|
class DefusedXMLParser(_XMLParser): |
|
def __init__( |
|
self, |
|
html=_sentinel, |
|
target=None, |
|
encoding=None, |
|
forbid_dtd=False, |
|
forbid_entities=True, |
|
forbid_external=True, |
|
): |
|
|
|
_XMLParser.__init__(self, target=target, encoding=encoding) |
|
if html is not _sentinel: |
|
|
|
|
|
if html: |
|
raise TypeError("'html=True' is no longer supported.") |
|
else: |
|
warnings.warn( |
|
"'html' keyword argument is no longer supported. Pass " |
|
"in arguments as keyword arguments.", |
|
category=DeprecationWarning, |
|
) |
|
|
|
self.forbid_dtd = forbid_dtd |
|
self.forbid_entities = forbid_entities |
|
self.forbid_external = forbid_external |
|
if PY3: |
|
parser = self.parser |
|
else: |
|
parser = self._parser |
|
if self.forbid_dtd: |
|
parser.StartDoctypeDeclHandler = self.defused_start_doctype_decl |
|
if self.forbid_entities: |
|
parser.EntityDeclHandler = self.defused_entity_decl |
|
parser.UnparsedEntityDeclHandler = self.defused_unparsed_entity_decl |
|
if self.forbid_external: |
|
parser.ExternalEntityRefHandler = self.defused_external_entity_ref_handler |
|
|
|
def defused_start_doctype_decl(self, name, sysid, pubid, has_internal_subset): |
|
raise DTDForbidden(name, sysid, pubid) |
|
|
|
def defused_entity_decl( |
|
self, name, is_parameter_entity, value, base, sysid, pubid, notation_name |
|
): |
|
raise EntitiesForbidden(name, value, base, sysid, pubid, notation_name) |
|
|
|
def defused_unparsed_entity_decl(self, name, base, sysid, pubid, notation_name): |
|
|
|
raise EntitiesForbidden(name, None, base, sysid, pubid, notation_name) |
|
|
|
def defused_external_entity_ref_handler(self, context, base, sysid, pubid): |
|
raise ExternalReferenceForbidden(context, base, sysid, pubid) |
|
|
|
|
|
|
|
|
|
XMLTreeBuilder = XMLParse = XMLParser = DefusedXMLParser |
|
|
|
parse, iterparse, fromstring = _generate_etree_functions( |
|
DefusedXMLParser, _TreeBuilder, _parse, _iterparse |
|
) |
|
XML = fromstring |
|
|
|
|
|
__all__ = [ |
|
"ParseError", |
|
"XML", |
|
"XMLParse", |
|
"XMLParser", |
|
"XMLTreeBuilder", |
|
"fromstring", |
|
"iterparse", |
|
"parse", |
|
"tostring", |
|
] |
|
|
