Reviewed: https://review.openstack.org/528516 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=4137c33922051546d45b6c9aa730433a401e3df1 Submitter: Zuul Branch: master commit 4137c33922051546d45b6c9aa730433a401e3df1 Author: Sean McGinnis <sean.mcginnis at huawei.com> Date: Sat Dec 16 17:38:41 2017 -0600 Use defusedxml for XML parsing The built-in xml module has some vulnerabilities to several known XML attacks. While the chances of this are limited with the way it is being used by some of the volume drivers, it is still a security risk that has been identified and has a mostly painless way to be mitigated with the defusedxml package [1]. There are still some drivers performing XML parsing that are not covered by this patch. They need closer analysis to see how to best switch to the defusedxml equivalents. This patch covers the instances where it was a mostly drop in and replace from the native xml functionality to the defusedxml alternatives. [1] https://github.com/tiran/defusedxml/blob/master/README.md Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b Partial-bug: #1732155 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions