From 70ae316866471cb146e629927a3effdc971f2284 Mon Sep 17 00:00:00 2001
From: xxxxxcat1 <126774586+xxxxxcat1@users.noreply.github.com>
Date: Wed, 16 Apr 2025 11:41:32 +0800
Subject: [PATCH 1/2] Update vs.py

The original code may have had an XXE vulnerability, which is now fixed
---
 tools/vs.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/vs.py b/tools/vs.py
index 4da6dc13819..7bdef7dbbd7 100644
--- a/tools/vs.py
+++ b/tools/vs.py
@@ -30,6 +30,7 @@
 
 import xml.etree.ElementTree as etree
 from xml.etree.ElementTree import SubElement
+from defusedxml.ElementTree import parse
 from utils import _make_path_relative
 from utils import xml_indent
 fs_encoding = sys.getfilesystemencoding()
@@ -86,7 +87,8 @@ def VS_AddHeadFilesGroup(program, elem, project_path):
 def VSProject(target, script, program):
     project_path = os.path.dirname(os.path.abspath(target))
 
-    tree = etree.parse('template_vs2005.vcproj')
+    # tree = etree.parse('template_vs2005.vcproj') 
+    tree = parse('template_vs2005.vcproj', forbid_dtd=True)
     root = tree.getroot()
 
     out = open(target, 'w')

From 79df4856042a0f746c6866b177a14677674aa045 Mon Sep 17 00:00:00 2001
From: xxxxxcat1 <126774586+xxxxxcat1@users.noreply.github.com>
Date: Wed, 16 Apr 2025 11:48:20 +0800
Subject: [PATCH 2/2] Update vs.py

The original code may have had an XXE vulnerability, which is now largely fixed.
---
 tools/vs.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/vs.py b/tools/vs.py
index 7bdef7dbbd7..b148d3ff9d4 100644
--- a/tools/vs.py
+++ b/tools/vs.py
@@ -31,6 +31,7 @@
 import xml.etree.ElementTree as etree
 from xml.etree.ElementTree import SubElement
 from defusedxml.ElementTree import parse
+from defusedxml.common import DefusedXmlException
 from utils import _make_path_relative
 from utils import xml_indent
 fs_encoding = sys.getfilesystemencoding()
@@ -88,7 +89,7 @@ def VSProject(target, script, program):
     project_path = os.path.dirname(os.path.abspath(target))
 
     # tree = etree.parse('template_vs2005.vcproj') 
-    tree = parse('template_vs2005.vcproj', forbid_dtd=True)
+    tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True)
     root = tree.getroot()
 
     out = open(target, 'w')