.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, September 27, 2016 at 13:45
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstac
On 2016-09-27 11:45:14 -0700 (-0700), Travis McPeak wrote:
> There is a private security bug about it right now too. No, not all XML
> libraries are immune now.
https://launchpad.net/bugs/1625402 which I've just now declassified.
--
Jeremy Stanley
signature.asc
Description: Digital signature
_
There is a private security bug about it right now too. No, not all XML
libraries are immune now.
On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker wrote:
>
>
> On 27 September 2016 at 19:19, Sean Dague wrote:
>
>> On 09/27/2016 01:24 PM, Travis McPeak wrote:
>> > There are several attacks (https:
On 27 September 2016 at 19:19, Sean Dague wrote:
> On 09/27/2016 01:24 PM, Travis McPeak wrote:
> > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> > that can be performed when XML is parsed from untrusted input.
> > DefusedXML offers safe alternatives to XML parsing lib
On 09/27/2016 01:24 PM, Travis McPeak wrote:
> There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> that can be performed when XML is parsed from untrusted input.
> DefusedXML offers safe alternatives to XML parsing libraries but is not
> currently part of global requirements.
We already debated this in https://review.openstack.org/#/c/311857/
All the lessons learned from DefusedXML was already incorporated in
various python packages. You can test this theory out by using the
test xml(s) in DefusedXML if you wish.
Also note that there have been no changes to the source
There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
that can be performed when XML is parsed from untrusted input. DefusedXML
offers safe alternatives to XML parsing libraries but is not currently part
of global requirements.
I propose adding DefusedXML to global requirements
