Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XXE in XML parsing (related to #366) #379

Merged
merged 1 commit into from Nov 2, 2016

Conversation

Projects
None yet
2 participants
@fruechel
Copy link
Contributor

commented Oct 31, 2016

This fixes XXE issues on anything where pysaml2 parses XML directly as part of
issue #366. It doesn't address the xmlsec issues discussed on that ticket as
they are out of reach of a direct fix and need the underlying library to fix
this issue.

Fix XXE in XML parsing (related to #366)
This fixes XXE issues on anything where pysaml2 parses XML directly as part of
issue #366. It doesn't address the xmlsec issues discussed on that ticket as
they are out of reach of a direct fix and need the underlying library to fix
this issue.
@fruechel

This comment has been minimized.

Copy link
Contributor Author

commented Oct 31, 2016

As noted the xmlsec bit is not fixed here. However, this relies on the underlying library so we can't fix it here. I also noticed that the two usages of parse_xml in sigver.py seem to invoke a function that doesn't even exist. I don't have enough context on any of this and might need some input.

Especially, someone needs to review if I missed any of the XML parsing functions.

@fruechel

This comment has been minimized.

Copy link
Contributor Author

commented Nov 2, 2016

Any comment?

@rohe rohe merged commit 8c2b052 into IdentityPython:master Nov 2, 2016

2 checks passed

code-quality/landscape Code quality increased by 0.01%
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.