Roundup Tracker - Issues

Message7110

Author rouilj
Recipients rouilj
Date 2021-03-14.15:55:19
Message-id <1615737320.14.0.672802813.issue2551116@roundup.psfhosted.org>
In-reply-to
From doc/xmlrpc.txt

   Both the standalone and embedded roundup XML endpoints used the
   default python XML parser. This parser is know to have security
   issues. For details see: https://pypi.python.org/pypi/defusedxml/.
   [...] Patches with tests to roundup to use defusedxml are welcome.

I am not sure how many people use the xmlrpc endpoint. The 
vulnerabilities seem to be DOS/resource usage and not remote
code execution/remote data access, so this isn't highly critical.

Vulnerability can be mitigated by limiting xmlrpc access to specific
trusted users. Also the REST interface provides another method for 
accessing data.

defusedxml is located at https://pypi.python.org/pypi/defusedxml/
At this point it supports python versions 2.7.X and > 3.5.
History
Date User Action Args
2021-03-14 15:55:20rouiljsetrecipients: + rouilj
2021-03-14 15:55:20rouiljsetmessageid: <1615737320.14.0.672802813.issue2551116@roundup.psfhosted.org>
2021-03-14 15:55:20rouiljlinkissue2551116 messages
2021-03-14 15:55:19rouiljcreate