Protect against XML vulnerabilities

issue11219 issue11244 (grafted from f801a89c84e7df1e3ae00b0f91d500ed7d36a7a9) --HG-- branch : 5.0
tryton · Mar 1, 2022 · 0729a88 · 0729a88
1 parent 0576244
commit 0729a88
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,5 @@
+* Use defusedxml to parse XML (11244)
+
 Version 5.0.11 - 2022-01-15
 * Bug fixes (see mercurial logs for details)
 

diff --git a/proteus/config.py b/proteus/config.py
@@ -11,8 +11,12 @@
 import xmlrpc.client
 from decimal import Decimal
 
+import defusedxml.xmlrpc
+
 __all__ = ['set_trytond', 'set_xmlrpc', 'get_config']
 
+defusedxml.xmlrpc.monkey_patch()
+
 
 def dump_decimal(self, value, write):
     value = {'__class__': 'Decimal',

diff --git a/setup.py b/setup.py
@@ -77,6 +77,7 @@ def get_require_version(name):
     license='LGPL-3',
     python_requires='>=3.4',
     install_requires=[
+        'defusedxml',
         "python-dateutil",
         ],
     extras_require={