forked from IdentityPython/pysaml2
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce xml_safe as a module to control xml opearations
This is related to CVE-2017-11427[0] and VU#475445[1] Related issues: IdentityPython#496 IdentityPython#497 Reported by duo[2] through this blog post[3] pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comments. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtain through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib. [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427 [1]: https://www.kb.cert.org/vuls/id/475445 [2]: https://duo.com [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
- Loading branch information
1 parent
febbf22
commit 88d3a90
Showing
5 changed files
with
24 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from xml.etree.cElementTree import * # noqa | ||
|
||
import defusedxml.cElementTree as defusedElementTree | ||
from defusedxml.cElementTree import * # noqa | ||
|
||
|
||
assert all( # noqa | ||
globals().get(attr_str) is getattr(defusedElementTree, attr_str) | ||
for attr_str in defusedElementTree.__all__), ( | ||
"defusedxml not loaded correctly") |