Open Stack

Julien,

I believe all the lessons learned from defusedxml (see the release
dates) have been folded back into the different libraries. For example
plain old etree.fromstring() even without any special options is ok
with the specially crafted xml bombs that you can find as test cases
in defusedxml repo. There is some more information here as well
(http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
point, unless we see a new attack vector other than the ones that
caused folks to whip up defusedxml, we should be good. So Option #2 is
definitely the way to go

thanks,
dims

On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <julien at danjou.info> wrote:
> On Mon, Sep 29 2014, Joshua Harlow wrote:
>
>> Do we know that the users (keystone, neutron...) aren't vulnerable?
>>
>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems
>> like we would likely still have issues if custom implementations are being
>> used/created. Perhaps we should just use the defusedxml libraries until proven
>> otherwise (better to be safe than sorry).
>
> According to LP#1100282¹, Keystone and Neutron are supposed to not be
> vulnerable with different fixes than Nova.
>
> Since all the solutions are different, I'm not sure it covers the
> problem in its entirety in all cases.
>
> I see 2 options:
> 1. Put effort to move all projects to defusedxml
> 2. Since XML API are going to be deprecated (at least in Nova), move
>    xmlutils to Nova and be done with it.
>
> Solution 1 requires a lot more effort, and I wonder if it's worth it.
>
>
> ¹  https://bugs.launchpad.net/bugs/1100282
>
> --
> Julien Danjou
> // Free Software hacker
> // http://julien.danjou.info
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Davanum Srinivas :: https://twitter.com/dims