gh-148954: sanitize methodname in xmlrpc.client.dumps() to prevent XML injection

sanyamk23 · sanyamk23 · commit 4e67dfdcae93 · 2026-04-24T22:55:09.000+05:30
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,
         data = (
             xmlheader,
             "<methodCall>\n"
-            "<methodName>", methodname, "</methodName>\n",
+            "<methodName>", escape(methodname), "</methodName>\n",
             data,
             "</methodCall>\n"
             )
diff --git a/Misc/NEWS.d/next/Security/2026-04-24-19-54-00.gh-issue-148954.v1.rst b/Misc/NEWS.d/next/Security/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@@ -0,0 +1,2 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname``
+was not being escaped before interpolation into the XML body.

Original file line number	Diff line number	Diff line change
`@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,`
`965`	`965`	`data = (`
`966`	`966`	`xmlheader,`
`967`	`967`	`"<methodCall>\n"`
`968`		`- "<methodName>", methodname, "</methodName>\n",`
	`968`	`+ "<methodName>", escape(methodname), "</methodName>\n",`
`969`	`969`	`data,`
`970`	`970`	`"</methodCall>\n"`
`971`	`971`	`)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname``
	`2`	`+was not being escaped before interpolation into the XML body.`