<div dir="ltr">There is a private security bug about it right now too.  No, not all XML libraries are immune now.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker <span dir="ltr"><<a href="mailto:email@daviey.com" target="_blank">email@daviey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 27 September 2016 at 19:19, Sean Dague <span dir="ltr"><<a href="mailto:sean@dague.net" target="_blank">sean@dague.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 09/27/2016 01:24 PM, Travis McPeak wrote:<br>
> There are several attacks (<a href="https://pypi.python.org/pypi/defusedxml#id3" rel="noreferrer" target="_blank">https://pypi.python.org/pypi/<wbr>defusedxml#id3</a>)<br>
> that can be performed when XML is parsed from untrusted input.<br>
> DefusedXML offers safe alternatives to XML parsing libraries but is not<br>
> currently part of global requirements.<br>
><br>
> I propose adding DefusedXML to global requirements so that projects have<br>
> an option for safe XML parsing.  Does anybody have any thoughts or<br>
> objections?<br>
<br>
</span>Out of curiosity, are there specific areas of concern in existing<br>
projects here? Most projects have dropped XML API support.<br>
<span><font color="#888888"><br></font></span></blockquote><div><br></div></span><div>Outbound XML datasources which are parsed still used with at least nova vmware support and multiple cinder drivers.</div><div><br></div><div>openstack/ec2-api is still providing an xml api service?<br></div><div><br></div><div>--</div><div>Kind Regards,</div><div>Dave Walker</div></div></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">-Travis</div>
</div>