[Django] #36769: Limit recursive extraction of field values in XML deserializer
4 views
Skip to first unread message
Django
Dec 3, 2025, 3:31:15 PM (2 days ago) Dec 3
to django-...@googlegroups.com
#36769: Limit recursive extraction of field values in XML deserializer
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Serialization)
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
While investigating
[https://docs.djangoproject.com/en/5.2/releases/security/#december-2-2025-cve-2025-64460
CVE-2025-64460] (mitigated in 50efb718b31333051bc2dcb06911b8fa1358c98c),
we noticed that the private helper `getInnerText` supports extracting
[https://github.com/django/django/blob/93540b34d4ef46f68df2c8bfe90447d0f649a852/django/core/serializers/xml_serializer.py#L418
arbitrarily nested text], however its only use in Django is to extract
text at most one level deep, under a `<natural>` tag, like this
[https://github.com/django/django/blob/5625bd590766e5ca8c2c76ba2307b98f7450ff83/tests/fixtures/fixtures/fixture9.xml#L22
fixture example].
We opted not to change this semantic in a patch release, but it occurred
to me that we could only extract text at the exact expected depth (e.g. 0
if under `<field>` and 1 if under `<field><natural>`) and completely
sidestep potential performance issues from invalid input making use of
nested elements, see recent
[https://www.cve.org/CVERecord?id=CVE-2025-12084 python CVE-2025-12084] we
also mitigated yesterday.
I would appreciate any arguments I might be missing, for example, if there
are legitimate use cases for ingesting text from nested tags e.g. from
unescaped markup that this proposal would break.
--
Ticket URL: <https://code.djangoproject.com/ticket/36769>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Serialization)
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
While investigating
[https://docs.djangoproject.com/en/5.2/releases/security/#december-2-2025-cve-2025-64460
CVE-2025-64460] (mitigated in 50efb718b31333051bc2dcb06911b8fa1358c98c),
we noticed that the private helper `getInnerText` supports extracting
[https://github.com/django/django/blob/93540b34d4ef46f68df2c8bfe90447d0f649a852/django/core/serializers/xml_serializer.py#L418
arbitrarily nested text], however its only use in Django is to extract
text at most one level deep, under a `<natural>` tag, like this
[https://github.com/django/django/blob/5625bd590766e5ca8c2c76ba2307b98f7450ff83/tests/fixtures/fixtures/fixture9.xml#L22
fixture example].
We opted not to change this semantic in a patch release, but it occurred
to me that we could only extract text at the exact expected depth (e.g. 0
if under `<field>` and 1 if under `<field><natural>`) and completely
sidestep potential performance issues from invalid input making use of
nested elements, see recent
[https://www.cve.org/CVERecord?id=CVE-2025-12084 python CVE-2025-12084] we
also mitigated yesterday.
I would appreciate any arguments I might be missing, for example, if there
are legitimate use cases for ingesting text from nested tags e.g. from
unescaped markup that this proposal would break.
--
Ticket URL: <https://code.djangoproject.com/ticket/36769>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 4, 2025, 1:02:41 AM (yesterday) Dec 4
to django-...@googlegroups.com
#36769: Limit recursive extraction of field values in XML deserializer
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: (none)
-------------------------------------+-------------------------------------
Type: | Status: new
Cleanup/optimization |
Component: Core | Version: dev
(Serialization) |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Pravin):
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Pravin (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36769#comment:1>
Django
Dec 4, 2025, 7:57:18 AM (yesterday) Dec 4
to django-...@googlegroups.com
#36769: Limit recursive extraction of field values in XML deserializer
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Core (Serialization) | Version: dev
Severity: Normal | Resolution:
Component: Core (Serialization) | Version: dev
Keywords: xml deserializer | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* cc: Shai Berger (added)
* keywords: => xml deserializer
* stage: Unreviewed => Accepted
Comment:
Thank you!
--
Ticket URL: <https://code.djangoproject.com/ticket/36769#comment:2>
Django
Dec 4, 2025, 8:09:29 AM (yesterday) Dec 4
to django-...@googlegroups.com
#36769: Limit recursive extraction of field values in XML deserializer
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Core (Serialization) | Version: dev
Severity: Normal | Resolution:
Keywords: xml deserializer | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Pravin):
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Core (Serialization) | Version: dev
Severity: Normal | Resolution:
Keywords: xml deserializer | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Either we could change the helper function to only accept the types that
Django actually uses: regular text and the one-level-deep <natural> tag.
This would stop the recursion immediately for anything else, or we could
explicitly tell the function how deep it should go.
--
Ticket URL: <https://code.djangoproject.com/ticket/36769#comment:3>
Django
Dec 4, 2025, 8:10:23 AM (yesterday) Dec 4
to django-...@googlegroups.com
#36769: Limit recursive extraction of field values in XML deserializer
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: Pravin
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: assigned
Component: Core (Serialization) | Version: dev
Severity: Normal | Resolution:
Keywords: xml deserializer | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Pravin):
Severity: Normal | Resolution:
Keywords: xml deserializer | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
* owner: (none) => Pravin
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36769#comment:4>
Reply all
Reply to author
Forward
0 new messages