Issue 2551116
Created on 2021-03-14 15:55 by rouilj, last changed 2023-09-30 23:46 by rouilj.
|
| msg7110 |
Author: [hidden] (rouilj) |
Date: 2021-03-14 15:55 |
|
From doc/xmlrpc.txt
Both the standalone and embedded roundup XML endpoints used the
default python XML parser. This parser is know to have security
issues. For details see: https://pypi.python.org/pypi/defusedxml/.
[...] Patches with tests to roundup to use defusedxml are welcome.
I am not sure how many people use the xmlrpc endpoint. The
vulnerabilities seem to be DOS/resource usage and not remote
code execution/remote data access, so this isn't highly critical.
Vulnerability can be mitigated by limiting xmlrpc access to specific
trusted users. Also the REST interface provides another method for
accessing data.
defusedxml is located at https://pypi.python.org/pypi/defusedxml/
At this point it supports python versions 2.7.X and > 3.5.
|
| msg7837 |
Author: [hidden] (rouilj) |
Date: 2023-09-30 23:46 |
|
https://discuss.python.org/t/status-of-defusedxml-and-recommendation-in-docs/34762/6
discusses using lxml as replacement for defusedxml as defusedxml had no updates
in two years untill two days ago 8-).
lxml also has a faq for security issues:
https://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs
but an item lower in the faq references defusedxml as a wrapper for lxml.
defusedxml 0.8.0b was released on 9/28/2023. So looks like defusedxml with a
system supplied libexpat of 2.4.0 or newer is the best route. This means
python 3.7 or newer for the newer libexpat IIUC.
|
|
| Date |
User |
Action |
Args |
| 2023-09-30 23:46:17 | rouilj | set | messages:
+ msg7837 |
| 2021-03-14 15:55:20 | rouilj | create | |
|