From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
From: Cosimo Lupo <clupo@google.com>
Date: Fri, 15 Sep 2023 16:50:38 +0200
Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False

to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
---
 Lib/fontTools/subset/svg.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
index f6d74a400..2e55bf54c 100644
--- a/Lib/fontTools/subset/svg.py
+++ b/Lib/fontTools/subset/svg.py
@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
                 # dangling tail text after removing an element when pretty_print=True
                 remove_blank_text=True,
+                # don't replace entities; we don't expect any in OT-SVG and they may
+                # aboused for XXE attacks
+                resolve_entities=False,
             ),
         )