New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to use defusedxml as the default xml loader. #58

Merged
merged 1 commit into from Dec 17, 2015

Conversation

Projects
None yet
1 participant
@njoyce
Member

njoyce commented Dec 9, 2015

By default, PyAMF will not support potentially vulnerable XML payloads. See
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

Wrap all calls to etree.fromstring() with defusedxml. All the standard XML processing libs that PyAMF previously supported are still supported.

There may be people who use DTD/Entities as part of their AMF payloads - they will have
to continue to use an old version or make an issue to see how their use case can still be
supported.

Switch to use defusedxml as the default xml loader.
By default, PyAMF will not support potentially vulnerable payloads. See
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

All the standard XML processing libs that PyAMF previously supported are still supported.

There may be people who use DTD/Entities as part of their AMF payloads - they will have
to continue to use an old version or make an issue to see how their use case can still be
supported.

njoyce added a commit that referenced this pull request Dec 17, 2015

Merge pull request #58 from hydralabs/defusedxml
Switch to use defusedxml as the default xml loader.

@njoyce njoyce merged commit 71fbe94 into master Dec 17, 2015

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage increased (+0.01%) to 89.167%
Details

@njoyce njoyce deleted the defusedxml branch Dec 17, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment