commit 4137c33922051546d45b6c9aa730433a401e3df1
Author: Sean McGinnis <email address hidden>
Date: Sat Dec 16 17:38:41 2017 -0600
Use defusedxml for XML parsing
The built-in xml module has some vulnerabilities to several known
XML attacks. While the chances of this are limited with the way
it is being used by some of the volume drivers, it is still a
security risk that has been identified and has a mostly painless
way to be mitigated with the defusedxml package [1].
There are still some drivers performing XML parsing that are not
covered by this patch. They need closer analysis to see how to
best switch to the defusedxml equivalents.
This patch covers the instances where it was a mostly drop in and
replace from the native xml functionality to the defusedxml
alternatives.
Reviewed: https:/ /review. openstack. org/528516 /git.openstack. org/cgit/ openstack/ cinder/ commit/ ?id=4137c339220 51546d45b6c9aa7 30433a401e3df1
Committed: https:/
Submitter: Zuul
Branch: master
commit 4137c3392205154 6d45b6c9aa73043 3a401e3df1
Author: Sean McGinnis <email address hidden>
Date: Sat Dec 16 17:38:41 2017 -0600
Use defusedxml for XML parsing
The built-in xml module has some vulnerabilities to several known
XML attacks. While the chances of this are limited with the way
it is being used by some of the volume drivers, it is still a
security risk that has been identified and has a mostly painless
way to be mitigated with the defusedxml package [1].
There are still some drivers performing XML parsing that are not
covered by this patch. They need closer analysis to see how to
best switch to the defusedxml equivalents.
This patch covers the instances where it was a mostly drop in and
replace from the native xml functionality to the defusedxml
alternatives.
[1] https:/ /github. com/tiran/ defusedxml/ blob/master/ README. md
Change-Id: I083fc23eab6f71 2264919a250c6fb 57cc0f6a11b
Partial-bug: #1732155