Skip to content

Commit

Permalink
fix cve CVE Requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@kiorky
kiorky committed May 15, 2014
1 parent a386568 commit 64125a2
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 55 deletions.
23 changes: 21 additions & 2 deletions CHANGES.txt
View file
@@ -1,8 +1,27 @@
CHANGELOG
=====================

0.12.6 (unreleased)
-----------------------
0.12.19 (unreleased)
--------------------

- Nothing changed yet.


0.12.18 (2014-05-15)
--------------------

- better version handling [kiorky]


0.12.6 (2014-05-15)
-------------------
- display summary on pypi [kiorky]


0.12.6 (2014-05-15)
-------------------
- fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- LOL part
[kiorky]
- fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- XXE part
[kiorky]
- Remove dependency on fpconst.
Expand Down
2 changes: 2 additions & 0 deletions README.txt
View file
Expand Up @@ -2,6 +2,8 @@
SOAPpy - Simple to use SOAP library for Python
==============================================

.. contents::

Disclaimer
==========
Please use `suds <https://pypi.python.org/pypi/suds>`_ rather than SOAPpy.
Expand Down
0 ChangeLog → old.Changelog
View file
File renamed without changes.
45 changes: 3 additions & 42 deletions setup.py
View file
Expand Up @@ -11,53 +11,13 @@ def read(*rnames):
return "\n"+ open(
os.path.join('.', *rnames)
).read()




def load_version():
"""
Load the version number by executing the version file in a variable. This
way avoids executing the __init__.py file which load nearly everything in
the project, including fpconst which is not yet installed when this script
is executed.
Source: https://github.com/mitsuhiko/flask/blob/master/flask/config.py#L108
"""

import imp
from os import path

filename = path.join(path.dirname(__file__), 'src', 'SOAPpy', 'version.py')
d = imp.new_module('version')
d.__file__ = filename

try:
execfile(filename, d.__dict__)
except IOError, e:
e.strerror = 'Unable to load the version number (%s)' % e.strerror
raise

return d.__version__


__version__ = load_version()


url="https://github.com/kiorky/SOAPpy.git"

long_description="SOAPpy provides tools for building SOAP clients and servers. For more information see " + url\
+'\n'+read('README.txt')\
+'\n'+read('CHANGES.txt')\

if CVS:
import time
__version__ += "_CVS_" + time.strftime('%Y_%m_%d')


+'\n'+read('CHANGES.txt')
setup(
name="SOAPpy",
version=__version__,
version='0.12.19.dev0',
description="SOAP Services for Python",
maintainer="Gregory Warnes, kiorky",
maintainer_email="Gregory.R.Warnes@Pfizer.com, kiorky@cryptelium.net",
Expand All @@ -68,6 +28,7 @@ def load_version():
include_package_data=True,
install_requires=[
'wstools',
'defusedxml',
]
)

38 changes: 29 additions & 9 deletions src/SOAPpy/Parser.py
View file
Expand Up @@ -16,13 +16,22 @@
try: from M2Crypto import SSL
except: pass

from defusedxml import expatreader
from defusedxml.common import DefusedXmlException


ident = '$Id: Parser.py 1497 2010-03-08 06:06:52Z pooryorick $'
from version import __version__


################################################################################
# SOAP Parser
################################################################################

def make_parser(parser_list=[]):
return expatreader.create_parser()


class RefHolder:
def __init__(self, name, frame):
self.name = name
Expand Down Expand Up @@ -1041,27 +1050,38 @@ def resolveEntity(self, publicId, systemId):
return StringIO("<?xml version='1.0' encoding='UTF-8'?>")


def _parseSOAP(xml_str, rules = None, ignore_ext=None):
def _parseSOAP(xml_str, rules = None, ignore_ext=None,
forbid_entities=False, forbid_external=True, forbid_dtd=False):

This comment has been minimized.

Sign in to view

Copy link
@thoger

thoger Jan 5, 2015

These defaults leave client vulnerable to billion laughs attacks - see issue #17.
inpsrc = xml.sax.xmlreader.InputSource()
inpsrc.setByteStream(StringIO(xml_str))
if ignore_ext is None:
ignore_ext = False

parser = xml.sax.make_parser()
parser = make_parser()
t = SOAPParser(rules=rules)
parser.setContentHandler(t)
e = xml.sax.handler.ErrorHandler()
parser.setErrorHandler(e)
errorHandler = xml.sax.handler.ErrorHandler()
parser.setErrorHandler(errorHandler)

inpsrc = xml.sax.xmlreader.InputSource()
inpsrc.setByteStream(StringIO(xml_str))

# disable by default entity loading on posted content
if ignore_ext:
parser.setEntityResolver(EmptyEntityResolver())
# disable by default entity loading on posted content
forbid_dtd = True
forbid_entities = True
forbid_external = True
parser.forbid_dtd = forbid_dtd
parser.forbid_entities = forbid_entities
parser.forbid_external = forbid_external
parser.setEntityResolver(EmptyEntityResolver())

This comment has been minimized.

Sign in to view

Copy link
@thoger

thoger Jan 5, 2015

Does it still make sense to set EmptyEntityResolver here? Given the defusedxml use and the forbid_external defaulting to True, it seems redundant. Having it set unconditionally actually makes it impossible to enable resolution of external entities, even when both ignore_ext and forbid_external are set to False.

# turn on namespace mangeling
parser.setFeature(xml.sax.handler.feature_namespaces, 1)

try:
parser.parse(inpsrc)
except DefusedXmlException, e:
parser._parser = None
print traceback.format_exc()
raise e
except xml.sax.SAXParseException, e:
parser._parser = None
print traceback.format_exc()
Expand Down
7 changes: 5 additions & 2 deletions src/SOAPpy/version.py
View file
@@ -1,2 +1,5 @@
__version__="0.12.6"

try:
import pkg_resources
__version__ = pkg_resources.get_distribution("SOAPpy").version
except:
__version__="xxx"
0 vul_lol.txt → tests/vul_lol.txt
View file
File renamed without changes.

0 comments on commit 64125a2

Please sign in to comment.