[openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
Dave Walker
email at daviey.com
Tue Sep 27 18:36:04 UTC 2016
On 27 September 2016 at 19:19, Sean Dague <sean at dague.net> wrote:
> On 09/27/2016 01:24 PM, Travis McPeak wrote:
> > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> > that can be performed when XML is parsed from untrusted input.
> > DefusedXML offers safe alternatives to XML parsing libraries but is not
> > currently part of global requirements.
> >
> > I propose adding DefusedXML to global requirements so that projects have
> > an option for safe XML parsing. Does anybody have any thoughts or
> > objections?
>
> Out of curiosity, are there specific areas of concern in existing
> projects here? Most projects have dropped XML API support.
>
>
Outbound XML datasources which are parsed still used with at least nova
vmware support and multiple cinder drivers.
openstack/ec2-api is still providing an xml api service?
--
Kind Regards,
Dave Walker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160927/00b101c6/attachment.html>
More information about the OpenStack-dev
mailing list