changeset f801a89c84e7 in proteus:default
details: https://hg.tryton.org/proteus?cmd=changeset&node=f801a89c84e7
description:
Protect against XML vulnerabilities
issue11219
issue11244
diffstat:
CHANGELOG | 1 +
proteus/config.py | 4 ++++
setup.py | 1 +
3 files changed, 6 insertions(+), 0 deletions(-)
diffs (35 lines):
diff -r a0f8aac350a2 -r f801a89c84e7 CHANGELOG
--- a/CHANGELOG Tue Feb 22 18:04:31 2022 +0100
+++ b/CHANGELOG Tue Mar 01 19:07:56 2022 +0100
@@ -1,3 +1,4 @@
+* Use defusedxml to parse XML (11244)
* Add support for Python 3.10
* Remove support for Python 3.6
diff -r a0f8aac350a2 -r f801a89c84e7 proteus/config.py
--- a/proteus/config.py Tue Feb 22 18:04:31 2022 +0100
+++ b/proteus/config.py Tue Mar 01 19:07:56 2022 +0100
@@ -13,8 +13,12 @@
from contextlib import contextmanager
from decimal import Decimal
+import defusedxml.xmlrpc
+
__all__ = ['set_trytond', 'set_xmlrpc', 'get_config']
+defusedxml.xmlrpc.monkey_patch()
+
def dump_decimal(self, value, write):
write('<value><bigdecimal>')
diff -r a0f8aac350a2 -r f801a89c84e7 setup.py
--- a/setup.py Tue Feb 22 18:04:31 2022 +0100
+++ b/setup.py Tue Mar 01 19:07:56 2022 +0100
@@ -99,6 +99,7 @@
license='LGPL-3',
python_requires='>=3.7',
install_requires=[
+ 'defusedxml',
"python-dateutil",
],
extras_require={
