[openstack-dev] [oslo] Fate of xmlutils

Julien Danjou julien at danjou.info
Mon Sep 29 16:03:20 UTC 2014


Hi,

I was looking at xmlutils today, and I took a look at the history of
this file that seems to come from a CVE almost 2 years ago.

What is surprising is that, unless I missed something, the only user of
that lib is Nova. Other projects such as Keystone or Neutron implemented
things in a different way.

It seems that Python fixed that issue with 2 modules released on PyPI:

  https://pypi.python.org/pypi/defusedxml
  https://pypi.python.org/pypi/defusedexpat

I'm no XML expert, and I've only a shallow understanding of the issue,
but I wonder if we should put some efforts to drop xmlutils and our
custom XML fixes to used instead these 2 modules.

Hint appreciated.

-- 
Julien Danjou
/* Free Software hacker
   http://julien.danjou.info */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140929/9457a604/attachment.pgp>


More information about the OpenStack-dev mailing list