Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix lxml default parser #616

Merged
merged 1 commit into from
Aug 10, 2021
Merged

Fix lxml default parser #616

merged 1 commit into from
Aug 10, 2021

Conversation

cehbrecht
Copy link
Collaborator

@cehbrecht cehbrecht commented Aug 9, 2021
edited
Loading

Overview

This PR configures the lxml default parser to avoid security issues.

For example the default lxml parser replaces entities in the XML request with the content of local system files.

Changes:

  • Added xml_util.py with a configured lxml parser for lxml.etree.fromstring and lxml.etree.parse.
  • Added test for xml_util.py.
  • Adjust to werkzeug deprecation warnings:
    • use werkzeug.Response
    • use markupsafe
  • Cleaned up imports.

Related Issue / Discussion

geopython/OWSLib#790

Additional Information

This PR is not using defusedxml.lxml since it is deprecated:
https://pypi.org/project/defusedxml/#defusedxml-lxml

Contribution Agreement

(as per https://github.com/geopython/pywps/blob/master/CONTRIBUTING.rst#contributions-and-licensing)

  • I'd like to contribute [feature X|bugfix Y|docs|something else] to PyWPS. I confirm that my contributions to PyWPS will be compatible with the PyWPS license guidelines at the time of contribution.
  • [x ] I have already previously agreed to the PyWPS Contributions and Licensing Guidelines

@cehbrecht
Squashed commit of the following:
6896931 
    added test for xml_util

    use xml_util

    use werkzeug Response

    use markupsafe
@coveralls
Copy link

Coverage Status

Coverage remained the same at 0.0% when pulling 6896931 on cehbrecht:fix-lxml-parser into 7112197 on geopython:pywps-4.4.

@cehbrecht cehbrecht merged commit 7d6b26a into geopython:pywps-4.4 Aug 10, 2021
@cehbrecht cehbrecht deleted the fix-lxml-parser branch August 10, 2021 08:51
This was referenced Aug 10, 2021
Merged
Merged
fmigneault added a commit to crim-ca/weaver that referenced this pull request Sep 1, 2021
@fmigneault
pin pywps==4.5.0 and owslib==0.25.0 as tentative resolution of XML se…
e1a5711 
…curity issue (relatees to geopython/pywps#616, geopython/pywps#618 amd geopython/pywps#624)
@fmigneault fmigneault mentioned this pull request Sep 1, 2021
Merged
fmigneault added a commit to crim-ca/weaver that referenced this pull request Sep 1, 2021
@fmigneault
pin pywps==4.5.0 and owslib==0.25.0 as tentative resolution of XML se…
16d9a4f 
…curity issue (relates to geopython/pywps#616, geopython/pywps#618 and geopython/pywps#624)
fmigneault added a commit to crim-ca/weaver that referenced this pull request Sep 17, 2021
@fmigneault
pin pywps==4.5.0 and owslib==0.25.0 as tentative resolution of XML se…
cd33e50 
…curity issue (relates to geopython/pywps#616, geopython/pywps#618 and geopython/pywps#624)
fmigneault added a commit to crim-ca/weaver that referenced this pull request Sep 17, 2021
@fmigneault
apply lxml parser patch based on geopython/pywps#616
bf002dd
@fmigneault fmigneault mentioned this pull request Sep 17, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zeitsperre Zeitsperre Zeitsperre approved these changes

@huard huard huard approved these changes

@jachym jachym Awaiting requested review from jachym

@tomkralidis tomkralidis Awaiting requested review from tomkralidis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cehbrecht @coveralls @huard @Zeitsperre