Commits

Christian Heimes  committed 96a333e

add forbid_external to all classs and functions

  • Participants
  • Parent commits 1a86e82

Comments (0)

Files changed (7)

File defusedxml/ElementTree.py

 
 class DefusedXMLParser(_XMLParser):
     def __init__(self, html=0, target=None, encoding=None,
-                 forbid_dtd=False, forbid_entities=True):
+                 forbid_dtd=False, forbid_entities=True,
+                 forbid_external=True):
         if PY26 or PY31:
             _XMLParser.__init__(self, html, target)
         else:
             _XMLParser.__init__(self, html, target, encoding)
         self.forbid_dtd = forbid_dtd
         self.forbid_entities = forbid_entities
+        self.forbid_external = forbid_external
         if PY3 and not PY31:
             parser = self.parser
         else:
         if self.forbid_entities:
             parser.EntityDeclHandler = self.defused_entity_decl
             parser.UnparsedEntityDeclHandler = self.defused_unparsed_entity_decl
-        if hasattr(parser.ExternalEntityRefHandler, "__call__"):
+        if self.forbid_external:
             parser.ExternalEntityRefHandler = self.defused_external_entity_ref_handler
 
     def defused_start_doctype_decl(self, name, sysid, pubid,

File defusedxml/common.py

     """Factory for functions needed by etree, dependent on whether
     cElementTree or ElementTree is used."""
 
-    def parse(source, parser=None, forbid_dtd=False, forbid_entities=True):
+    def parse(source, parser=None, forbid_dtd=False, forbid_entities=True,
+              forbid_external=True):
         if parser is None:
             parser = DefusedXMLParser(target=_TreeBuilder(),
                                       forbid_dtd=forbid_dtd,
-                                      forbid_entities=forbid_entities)
+                                      forbid_entities=forbid_entities,
+                                      forbid_external=forbid_external)
         return _parse(source, parser)
 
     if PY26 or PY31:
         def unbound(f):
                 return getattr(f, "__func__", f)
         def iterparse(source, events=None, forbid_dtd=False,
-                      forbid_entities=True):
+                      forbid_entities=True, forbid_external=True):
             it = _iterparse(source, events)
             parser = it._parser._parser
             if forbid_dtd:
                     unbound(DefusedXMLParser.defused_entity_decl)
                 parser.UnparsedEntityDeclHandler = \
                     unbound(DefusedXMLParser.defused_unparsed_entity_decl)
-            if hasattr(parser.ExternalEntityRefHandler, "__call__"):
+            if forbid_external:
                 parser.ExternalEntityRefHandler = \
                     unbound(DefusedXMLParser.defused_external_entity_ref_handler)
             return it
     elif PY3:
         def iterparse(source, events=None, parser=None, forbid_dtd=False,
-                      forbid_entities=True):
+                      forbid_entities=True, forbid_external=True):
             close_source = False
             if not hasattr(source, "read"):
                 source = open(source, "rb")
                 close_source = True
             if not parser:
-                parser = DefusedXMLParser(target=_TreeBuilder())
+                parser = DefusedXMLParser(target=_TreeBuilder(),
+                                          forbid_dtd=forbid_dtd,
+                                          forbid_entities=forbid_entities,
+                                          forbid_external=forbid_external)
             return _IterParseIterator(source, events, parser, close_source)
     else:
         # Python 2.7
                 parser = DefusedXMLParser(target=_TreeBuilder())
             return _iterparse(source, events, parser)
 
-    def fromstring(text, forbid_dtd=False, forbid_entities=True):
+    def fromstring(text, forbid_dtd=False, forbid_entities=True,
+                   forbid_external=True):
         parser = DefusedXMLParser(target=_TreeBuilder(),
                                   forbid_dtd=forbid_dtd,
-                                  forbid_entities=forbid_entities)
+                                  forbid_entities=forbid_entities,
+                                  forbid_external=forbid_external)
         parser.feed(text)
         return parser.close()
 

File defusedxml/expatbuilder.py

 
 
 class DefusedExpatBuilder(_ExpatBuilder):
-    def __init__(self, options=None, forbid_dtd=False, forbid_entities=True):
+    """Defused document builder"""
+
+    def __init__(self, options=None, forbid_dtd=False, forbid_entities=True,
+                 forbid_external=True):
         _ExpatBuilder.__init__(self, options)
         self.forbid_dtd = forbid_dtd
         self.forbid_entities = forbid_entities
+        self.forbid_external = forbid_external
 
     def defused_start_doctype_decl(self, name, sysid, pubid,
                                    has_internal_subset):
             #if self._options.entities:
             parser.EntityDeclHandler = self.defused_entity_decl
             parser.UnparsedEntityDeclHandler = self.defused_unparsed_entity_decl
-        if hasattr(parser.ExternalEntityRefHandler, "__call__"):
+        if self.forbid_external:
             parser.ExternalEntityRefHandler = self.defused_external_entity_ref_handler
 
 
 class DefusedExpatBuilderNS(_Namespaces, DefusedExpatBuilder):
-    """Document builder that supports namespaces."""
+    """Defused document builder that supports namespaces."""
 
     def install(self, parser):
         DefusedExpatBuilder.install(self, parser)
         self._initNamespaces()
 
 
-def parse(file, namespaces=True, forbid_dtd=False, forbid_entities=True):
+def parse(file, namespaces=True, forbid_dtd=False, forbid_entities=True,
+          forbid_external=True):
     """Parse a document, returning the resulting Document node.
 
     'file' may be either a file name or an open file object.
     """
     if namespaces:
-        builder = DefusedExpatBuilderNS(forbid_dtd=forbid_dtd,
-                                        forbid_entities=forbid_entities)
+        build_builder = DefusedExpatBuilderNS
     else:
-        builder = DefusedExpatBuilder(forbid_dtd=forbid_dtd,
-                                      forbid_entities=forbid_entities)
+        build_builder = DefusedExpatBuilder
+    builder = build_builder(forbid_dtd=forbid_dtd,
+                            forbid_entities=forbid_entities,
+                            forbid_external=forbid_external)
 
     if isinstance(file, str):
         fp = open(file, 'rb')
 
 
 def parseString(string, namespaces=True, forbid_dtd=False,
-                forbid_entities=True):
+                forbid_entities=True, forbid_external=True):
     """Parse a document from a string, returning the resulting
     Document node.
     """
     else:
         build_builder = DefusedExpatBuilder
     builder = build_builder(forbid_dtd=forbid_dtd,
-                            forbid_entities=forbid_entities)
+                            forbid_entities=forbid_entities,
+                            forbid_external=forbid_external)
     return builder.parseString(string)

File defusedxml/expatreader.py

 
 
 class DefusedExpatParser(_ExpatParser):
+    """Defused SAX driver for the pyexpat C module."""
 
-    def __init__(self, forbid_dtd=False, forbid_entities=True,
-                 *args, **kwargs):
-        _ExpatParser.__init__(self, *args, **kwargs)
+    def __init__(self, namespaceHandling=0, bufsize=2 ** 16 - 20,
+                 forbid_dtd=False, forbid_entities=True,
+                 forbid_external=True):
+        _ExpatParser.__init__(self, namespaceHandling, bufsize)
         self.forbid_dtd = forbid_dtd
         self.forbid_entities = forbid_entities
+        self.forbid_external = forbid_external
 
     def defused_start_doctype_decl(self, name, sysid, pubid,
                                    has_internal_subset):
         if self.forbid_entities:
             parser.EntityDeclHandler = self.defused_entity_decl
             parser.UnparsedEntityDeclHandler = self.defused_unparsed_entity_decl
-        if hasattr(parser.ExternalEntityRefHandler, "__call__"):
+        if self.forbid_external:
             parser.ExternalEntityRefHandler = self.defused_external_entity_ref_handler
 
 

File defusedxml/minidom.py

 
 __origin__ = "xml.dom.minidom"
 
-def parse(file, parser=None, bufsize=None, forbid_dtd=False, forbid_entities=True):
+def parse(file, parser=None, bufsize=None, forbid_dtd=False,
+          forbid_entities=True, forbid_external=True):
     """Parse a file into a DOM by filename or file object."""
     if parser is None and not bufsize:
         return _expatbuilder.parse(file, forbid_dtd=forbid_dtd,
-                                   forbid_entities=forbid_entities)
+                                   forbid_entities=forbid_entities,
+                                   forbid_external=forbid_external)
     else:
         return _do_pulldom_parse(_pulldom.parse, (file,),
             {'parser': parser, 'bufsize': bufsize,
-             'forbid_dtd': forbid_dtd, 'forbid_entities': forbid_entities})
+             'forbid_dtd': forbid_dtd, 'forbid_entities': forbid_entities,
+             'forbid_external': forbid_external})
 
 def parseString(string, parser=None, forbid_dtd=False,
-                forbid_entities=True):
+                forbid_entities=True, forbid_external=True):
     """Parse a file into a DOM from a string."""
     if parser is None:
         return _expatbuilder.parseString(string, forbid_dtd=forbid_dtd,
-                                        forbid_entities=forbid_entities)
+                                        forbid_entities=forbid_entities,
+                                        forbid_external=forbid_external)
     else:
         return _do_pulldom_parse(_pulldom.parseString, (string,),
                                  {'parser': parser, 'forbid_dtd': forbid_dtd,
-                                  'forbid_entities': forbid_entities})
+                                  'forbid_entities': forbid_entities,
+                                  'forbid_external': forbid_external})

File defusedxml/pulldom.py

 
 
 def parse(stream_or_string, parser=None, bufsize=None, forbid_dtd=False,
-          forbid_entities=True):
+          forbid_entities=True, forbid_external=True):
     if parser is None:
         parser = make_parser()
         parser.forbid_dtd = forbid_dtd
         parser.forbid_entities = forbid_entities
+        parser.forbid_external = forbid_external
     return _parse(stream_or_string, parser, bufsize)
 
 
-def parseString(string, parser=None, forbid_dtd=False, forbid_entities=True):
+def parseString(string, parser=None, forbid_dtd=False,
+                forbid_entities=True, forbid_external=True):
     if parser is None:
         parser = make_parser()
         parser.forbid_dtd = forbid_dtd
         parser.forbid_entities = forbid_entities
+        parser.forbid_external = forbid_external
     return _parseString(string, parser)

File defusedxml/sax.py

 __origin__ = "xml.sax"
 
 def parse(source, handler, errorHandler=_ErrorHandler(), forbid_dtd=False,
-          forbid_entities=True):
+          forbid_entities=True, forbid_external=True):
     parser = make_parser()
     parser.setContentHandler(handler)
     parser.setErrorHandler(errorHandler)
     parser.forbid_dtd = forbid_dtd
     parser.forbid_entities = forbid_entities
+    parser.forbid_external = forbid_external
     parser.parse(source)
 
 
 def parseString(string, handler, errorHandler=_ErrorHandler(),
-                forbid_dtd=False, forbid_entities=True):
+                forbid_dtd=False, forbid_entities=True,
+                forbid_external=True):
     from io import BytesIO
 
     if errorHandler is None:
     parser.setErrorHandler(errorHandler)
     parser.forbid_dtd = forbid_dtd
     parser.forbid_entities = forbid_entities
+    parser.forbid_external = forbid_external
 
     inpsrc = _InputSource()
     inpsrc.setByteStream(BytesIO(string))