[Python-checkins] gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection (GH-148968)

[serhiy-storchaka]

https://github.com/python/cpython/commit/ab930175e7e909aaa3ec7e761bfdbb886677bebb
commit: ab930175e7e909aaa3ec7e761bfdbb886677bebb
branch: main
author: Sanyam Kumat <124618873+sanyam...@users.noreply.github.com>
committer: serhiy-storchaka <storch...@gmail.com>
date: 2026-06-06T21:38:15Z
summary:

gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection 
(GH-148968)

files:
A Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
M Lib/test/test_xmlrpc.py
M Lib/xmlrpc/client.py

diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
index 2803c6d45c27bfa..ee0e24f6e86ae33 100644
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -208,6 +208,17 @@ def test_dump_encoding(self):
         self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
         self.assertEqual(xmlrpclib.loads(strg)[1], methodname)
 
+    def test_dump_escape_methodname(self):
+        payload = 'foo</methodName><injected attr="evil"/><methodName>bar'
+        s = xmlrpclib.dumps((), methodname=payload)
+        self.assertIn(
+            '<methodName>foo&lt;/methodName&gt;&lt;injected attr="evil"/&gt;'
+            '&lt;methodName&gt;bar</methodName>', s
+        )
+        self.assertNotIn('<injected attr="evil"/>', s)
+        load, m = xmlrpclib.loads(s)
+        self.assertEqual(m, payload)
+
     def test_dump_bytes(self):
         sample = b"my dog has fleas"
         self.assertEqual(sample, xmlrpclib.Binary(sample))
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
index f441376d09c4aa2..84e4e4d11a7319e 100644
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, 
encoding=None,
         data = (
             xmlheader,
             "<methodCall>\n"
-            "<methodName>", methodname, "</methodName>\n",
+            "<methodName>", escape(methodname), "</methodName>\n",
             data,
             "</methodCall>\n"
             )
diff --git 
a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst 
b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
new file mode 100644
index 000000000000000..6245af7e362e920
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@@ -0,0 +1 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the 
``methodname`` was not being escaped before interpolation into the XML body.

_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com