gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection (GH-148968)

2026-06-10 11:52:01 +00:00 · 2026-06-07 03:08:15 +05:30 · 2026-06-07 03:08:15 +05:30 · ab930175e7
commit ab930175e7
parent 69851a6407
3 changed files with 13 additions and 1 deletions
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@ -208,6 +208,17 @@ def test_dump_encoding(self):
        self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
        self.assertEqual(xmlrpclib.loads(strg)[1], methodname)

+    def test_dump_escape_methodname(self):
+        payload = 'foo</methodName><injected attr="evil"/><methodName>bar'
+        s = xmlrpclib.dumps((), methodname=payload)
+        self.assertIn(
+            '<methodName>foo&lt;/methodName&gt;&lt;injected attr="evil"/&gt;'
+            '&lt;methodName&gt;bar</methodName>', s
+        )
+        self.assertNotIn('<injected attr="evil"/>', s)
+        load, m = xmlrpclib.loads(s)
+        self.assertEqual(m, payload)
+
    def test_dump_bytes(self):
        sample = b"my dog has fleas"
        self.assertEqual(sample, xmlrpclib.Binary(sample))
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,
        data = (
            xmlheader,
            "<methodCall>\n"
-            "<methodName>", methodname, "</methodName>\n",
+            "<methodName>", escape(methodname), "</methodName>\n",
            data,
            "</methodCall>\n"
            )
--- a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
+++ b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@ -0,0 +1 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.
				`@ -0,0 +1 @@`
				Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.