[openstack-dev] [oslo] Fate of xmlutils
Joshua Harlow
harlowja at outlook.com
Mon Sep 29 17:27:21 UTC 2014
Do we know that the users (keystone, neutron...) aren't vulnerable?
From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems like we would likely still have issues if custom implementations are being used/created. Perhaps we should just use the defusedxml libraries until proven otherwise (better to be safe than sorry).
On Sep 29, 2014, at 9:03 AM, Julien Danjou <julien at danjou.info> wrote:
> Hi,
>
> I was looking at xmlutils today, and I took a look at the history of
> this file that seems to come from a CVE almost 2 years ago.
>
> What is surprising is that, unless I missed something, the only user of
> that lib is Nova. Other projects such as Keystone or Neutron implemented
> things in a different way.
>
> It seems that Python fixed that issue with 2 modules released on PyPI:
>
> https://pypi.python.org/pypi/defusedxml
> https://pypi.python.org/pypi/defusedexpat
>
> I'm no XML expert, and I've only a shallow understanding of the issue,
> but I wonder if we should put some efforts to drop xmlutils and our
> custom XML fixes to used instead these 2 modules.
>
> Hint appreciated.
>
> --
> Julien Danjou
> /* Free Software hacker
> http://julien.danjou.info */
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list