Mon Feb 25 20:47:51 EST 2019

commit: 7cd08cf62086a8a2d84fd825dfcd8bfe33bf1986
branch: 3.5
author: Victor Stinner <vstinner at redhat.com>
committer: larryhastings <larry at hastings.org>
date: 2019-02-25T17:47:47-08:00

bpo-34791: xml package obeys ignore env flags (GH-9544) (#11871)

The xml.sax and xml.dom.domreg modules now obey

Signed-off-by: Christian Heimes <christian at python.org>

(cherry picked from commit 223e501fb9c2b6ae21b96054e20c4c31d94a5d96)

A Misc/NEWS.d/next/Security/2018-09-24-18-49-25.bpo-34791.78GmIG.rst
M Lib/xml/dom/domreg.py
M Lib/xml/sax/__init__.py

diff --git a/Lib/xml/dom/domreg.py b/Lib/xml/dom/domreg.py
index 8c3d901acb0b..69c17eebb265 100644
--- a/Lib/xml/dom/domreg.py
+++ b/Lib/xml/dom/domreg.py
@@ -6,6 +6,8 @@
 # should be published by posting to xml-sig at python.org, and are
 # subsequently recorded in this file.
+import sys
 well_known_implementations = {
     '4DOM': 'xml.dom.DOMImplementation',
@@ -55,7 +57,7 @@ def getDOMImplementation(name=None, features=()):
         return mod.getDOMImplementation()
     elif name:
         return registered[name]()
-    elif "PYTHON_DOM" in os.environ:
+    elif not sys.flags.ignore_environment and "PYTHON_DOM" in os.environ:
         return getDOMImplementation(name = os.environ["PYTHON_DOM"])
     # User did not specify a name, try implementations in arbitrary
diff --git a/Lib/xml/sax/__init__.py b/Lib/xml/sax/__init__.py
index ef67ae67a6bd..13f6cf58d0d2 100644
--- a/Lib/xml/sax/__init__.py
+++ b/Lib/xml/sax/__init__.py
@@ -58,7 +58,7 @@ def parseString(string, handler, errorHandler=ErrorHandler()):
     import xml.sax.expatreader
 import os, sys
-if "PY_SAX_PARSER" in os.environ:
+if not sys.flags.ignore_environment and "PY_SAX_PARSER" in os.environ:
     default_parser_list = os.environ["PY_SAX_PARSER"].split(",")
 del os
diff --git a/Misc/NEWS.d/next/Security/2018-09-24-18-49-25.bpo-34791.78GmIG.rst b/Misc/NEWS.d/next/Security/2018-09-24-18-49-25.bpo-34791.78GmIG.rst
new file mode 100644
index 000000000000..afb59f8cb0eb
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-09-24-18-49-25.bpo-34791.78GmIG.rst
@@ -0,0 +1,3 @@
+The xml.sax and xml.dom.domreg no longer use environment variables to
+override parser implementations when sys.flags.ignore_environment is set by
+-E or -I arguments.

