27 lines
1.1 KiB
Diff
27 lines
1.1 KiB
Diff
From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
|
|
From: Cosimo Lupo <clupo@google.com>
|
|
Date: Fri, 15 Sep 2023 16:50:38 +0200
|
|
Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False
|
|
|
|
Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
|
|
|
|
to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
|
|
---
|
|
Lib/fontTools/subset/svg.py | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
|
|
index f6d74a4002..2e55bf54c0 100644
|
|
--- a/Lib/fontTools/subset/svg.py
|
|
+++ b/Lib/fontTools/subset/svg.py
|
|
@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
|
|
# ignore blank text as it's not meaningful in OT-SVG; it also prevents
|
|
# dangling tail text after removing an element when pretty_print=True
|
|
remove_blank_text=True,
|
|
+ # don't replace entities; we don't expect any in OT-SVG and they may
|
|
+ # aboused for XXE attacks
|
|
+ resolve_entities=False,
|
|
),
|
|
)
|
|
|