On Tue, Sep 30 2014, Davanum Srinivas wrote: > I believe all the lessons learned from defusedxml (see the release > dates) have been folded back into the different libraries. For example > plain old etree.fromstring() even without any special options is ok > with the specially crafted xml bombs that you can find as test cases > in defusedxml repo. There is some more information here as well > (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this > point, unless we see a new attack vector other than the ones that > caused folks to whip up defusedxml, we should be good. So Option #2 is > definitely the way to go Thanks for this information dims! I'll start working on that ASAP. -- Julien Danjou -- Free Software hacker -- http://julien.danjou.info -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140930/f03d704c/attachment.pgp>