From 64125a24aad228761f38312d44bde4bec7354276 Mon Sep 17 00:00:00 2001 From: Mathieu Le Marec - Pasquet Date: Thu, 15 May 2014 12:39:48 +0200 Subject: [PATCH] fix cve CVE Requests --- CHANGES.txt | 23 ++++++++++++++-- README.txt | 2 ++ ChangeLog => old.Changelog | 0 setup.py | 45 +++----------------------------- src/SOAPpy/Parser.py | 38 ++++++++++++++++++++------- src/SOAPpy/version.py | 7 +++-- vul_lol.txt => tests/vul_lol.txt | 0 7 files changed, 60 insertions(+), 55 deletions(-) rename ChangeLog => old.Changelog (100%) rename vul_lol.txt => tests/vul_lol.txt (100%) diff --git a/CHANGES.txt b/CHANGES.txt index ec8627e..7a1c326 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,8 +1,27 @@ CHANGELOG ===================== -0.12.6 (unreleased) ------------------------ +0.12.19 (unreleased) +-------------------- + +- Nothing changed yet. + + +0.12.18 (2014-05-15) +-------------------- + +- better version handling [kiorky] + + +0.12.6 (2014-05-15) +------------------- +- display summary on pypi [kiorky] + + +0.12.6 (2014-05-15) +------------------- +- fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- LOL part + [kiorky] - fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- XXE part [kiorky] - Remove dependency on fpconst. diff --git a/README.txt b/README.txt index c3e0290..a0fd29a 100644 --- a/README.txt +++ b/README.txt @@ -2,6 +2,8 @@ SOAPpy - Simple to use SOAP library for Python ============================================== +.. contents:: + Disclaimer ========== Please use `suds `_ rather than SOAPpy. diff --git a/ChangeLog b/old.Changelog similarity index 100% rename from ChangeLog rename to old.Changelog diff --git a/setup.py b/setup.py index 9574a20..5fa81e2 100644 --- a/setup.py +++ b/setup.py @@ -11,53 +11,13 @@ def read(*rnames): return "\n"+ open( os.path.join('.', *rnames) ).read() - - - - -def load_version(): - """ - Load the version number by executing the version file in a variable. This - way avoids executing the __init__.py file which load nearly everything in - the project, including fpconst which is not yet installed when this script - is executed. - - Source: https://github.com/mitsuhiko/flask/blob/master/flask/config.py#L108 - """ - - import imp - from os import path - - filename = path.join(path.dirname(__file__), 'src', 'SOAPpy', 'version.py') - d = imp.new_module('version') - d.__file__ = filename - - try: - execfile(filename, d.__dict__) - except IOError, e: - e.strerror = 'Unable to load the version number (%s)' % e.strerror - raise - - return d.__version__ - - -__version__ = load_version() - - url="https://github.com/kiorky/SOAPpy.git" - long_description="SOAPpy provides tools for building SOAP clients and servers. For more information see " + url\ +'\n'+read('README.txt')\ - +'\n'+read('CHANGES.txt')\ - -if CVS: - import time - __version__ += "_CVS_" + time.strftime('%Y_%m_%d') - - + +'\n'+read('CHANGES.txt') setup( name="SOAPpy", - version=__version__, + version='0.12.19.dev0', description="SOAP Services for Python", maintainer="Gregory Warnes, kiorky", maintainer_email="Gregory.R.Warnes@Pfizer.com, kiorky@cryptelium.net", @@ -68,6 +28,7 @@ def load_version(): include_package_data=True, install_requires=[ 'wstools', + 'defusedxml', ] ) diff --git a/src/SOAPpy/Parser.py b/src/SOAPpy/Parser.py index 980555c..960bf2b 100644 --- a/src/SOAPpy/Parser.py +++ b/src/SOAPpy/Parser.py @@ -16,6 +16,10 @@ try: from M2Crypto import SSL except: pass +from defusedxml import expatreader +from defusedxml.common import DefusedXmlException + + ident = '$Id: Parser.py 1497 2010-03-08 06:06:52Z pooryorick $' from version import __version__ @@ -23,6 +27,11 @@ ################################################################################ # SOAP Parser ################################################################################ + +def make_parser(parser_list=[]): + return expatreader.create_parser() + + class RefHolder: def __init__(self, name, frame): self.name = name @@ -1041,27 +1050,38 @@ def resolveEntity(self, publicId, systemId): return StringIO("") -def _parseSOAP(xml_str, rules = None, ignore_ext=None): +def _parseSOAP(xml_str, rules = None, ignore_ext=None, + forbid_entities=False, forbid_external=True, forbid_dtd=False): + inpsrc = xml.sax.xmlreader.InputSource() + inpsrc.setByteStream(StringIO(xml_str)) if ignore_ext is None: ignore_ext = False - parser = xml.sax.make_parser() + parser = make_parser() t = SOAPParser(rules=rules) parser.setContentHandler(t) - e = xml.sax.handler.ErrorHandler() - parser.setErrorHandler(e) + errorHandler = xml.sax.handler.ErrorHandler() + parser.setErrorHandler(errorHandler) - inpsrc = xml.sax.xmlreader.InputSource() - inpsrc.setByteStream(StringIO(xml_str)) - - # disable by default entity loading on posted content if ignore_ext: - parser.setEntityResolver(EmptyEntityResolver()) + # disable by default entity loading on posted content + forbid_dtd = True + forbid_entities = True + forbid_external = True + parser.forbid_dtd = forbid_dtd + parser.forbid_entities = forbid_entities + parser.forbid_external = forbid_external + parser.setEntityResolver(EmptyEntityResolver()) + # turn on namespace mangeling parser.setFeature(xml.sax.handler.feature_namespaces, 1) try: parser.parse(inpsrc) + except DefusedXmlException, e: + parser._parser = None + print traceback.format_exc() + raise e except xml.sax.SAXParseException, e: parser._parser = None print traceback.format_exc() diff --git a/src/SOAPpy/version.py b/src/SOAPpy/version.py index 2e58820..67e7d13 100644 --- a/src/SOAPpy/version.py +++ b/src/SOAPpy/version.py @@ -1,2 +1,5 @@ -__version__="0.12.6" - +try: + import pkg_resources + __version__ = pkg_resources.get_distribution("SOAPpy").version +except: + __version__="xxx" diff --git a/vul_lol.txt b/tests/vul_lol.txt similarity index 100% rename from vul_lol.txt rename to tests/vul_lol.txt