python3: add patch bpo-17239: Disable external entities in SAX parser

Change-Id: I44e969d8d3a8fe6b6426d61a1cbe83154c8518dd
Reviewed-on: https://gerrit.libreoffice.org/66329
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit a57dd8eba9c0799dd42eb547a37622bce8fdb0b3)
Reviewed-on: https://gerrit.libreoffice.org/66370
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

2 files changed, 60 insertions, 0 deletions

diff --git a/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
new file mode 100644
index 000000000000..489e5d0e89ee
--- /dev/null
+++ b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
@@ -0,0 +1,59 @@
+From 582d188e6e3487180891f1fc457a80dec8be26a8 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Mon, 24 Sep 2018 14:38:31 +0200
+Subject: [PATCH] [3.6] bpo-17239: Disable external entities in SAX parser
+ (GH-9217) (GH-9512)
+
+The SAX parser no longer processes general external entities by default
+to increase security. Before, the parser created network connections
+to fetch remote files or loaded local files from the file system for DTD
+and entities.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue17239.
+(cherry picked from commit 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+
+
+
+https://bugs.python.org/issue17239
+---
+ Doc/library/xml.dom.pulldom.rst               | 14 +++++
+ Doc/library/xml.rst                           |  6 +-
+ Doc/library/xml.sax.rst                       |  8 +++
+ Doc/whatsnew/3.6.rst                          | 18 +++++-
+ Lib/test/test_pulldom.py                      |  7 +++
+ Lib/test/test_sax.py                          | 60 ++++++++++++++++++-
+ Lib/test/test_xml_etree.py                    | 13 ++++
+ Lib/xml/sax/expatreader.py                    |  2 +-
+ .../2018-09-11-18-30-55.bpo-17239.kOpwK2.rst  |  3 +
+ 9 files changed, 125 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+
+diff --git a/Lib/xml/sax/expatreader.py b/Lib/xml/sax/expatreader.py
+index 421358fa5b..5066ffc2fa 100644
+--- a/Lib/xml/sax/expatreader.py
++++ b/Lib/xml/sax/expatreader.py
+@@ -95,7 +95,7 @@ class ExpatParser(xmlreader.IncrementalParser, xmlreader.Locator):
+         self._lex_handler_prop = None
+         self._parsing = 0
+         self._entity_stack = []
+-        self._external_ges = 1
++        self._external_ges = 0
+         self._interning = None
+ 
+     # XMLReader methods
+diff --git a/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+new file mode 100644
+index 0000000000..8dd0fe8c1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+@@ -0,0 +1,3 @@
++The xml.sax and xml.dom.minidom parsers no longer processes external
++entities by default. External DTD and ENTITY declarations no longer
++load files or create network connections.
+-- 
+2.20.1
+
diff --git a/external/python3/UnpackedTarball_python3.mk b/external/python3/UnpackedTarball_python3.mk
index 35d6e643a1b0..ec1bdabe4fdd 100644
--- a/external/python3/UnpackedTarball_python3.mk
+++ b/external/python3/UnpackedTarball_python3.mk
@@ -26,6 +26,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,python3,\
 	external/python3/python-3.3.5-pyexpat-symbols.patch.1 \
 	external/python3/ubsan.patch.0 \
 	external/python3/python-3.5.tweak.strip.soabi.patch \
+	external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 \
 ))
 
 ifneq ($(filter DRAGONFLY FREEBSD LINUX NETBSD OPENBSD SOLARIS,$(OS)),)