OpenStack Compute (nova)

Use defusedxml function instead of lxml.etree.parse

Bug #1731865 reported by Spencer Yu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Won't Fix
Undecided
Unassigned

Bug Description

Due to https://docs.openstack.org/bandit/latest/blacklists/blacklist_calls.html#b313-b320-xml,
we should use defusedxml function instead of lxml.etree.parse to prevent XML attacks.

Spencer Yu (yushb)
Changed in nova:
assignee: nobody → Spencer Yu (yushb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/519291

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Stephen Finucane (<email address hidden>) on branch: master
Review: https://review.opendev.org/519291

Revision history for this message
Stephen Finucane (stephenfinucane) wrote :

As noted in the review, this isn't necessarily a huge issue and I'm not sure it's worth investing time on

Changed in nova:
status: In Progress → Won't Fix
assignee: Spencer Yu (yushb) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.