[openstack-dev] [oslo] Fate of xmlutils

Doug Hellmann doug at doughellmann.com
Tue Sep 30 13:28:21 UTC 2014 

I agree, it sounds like option 2 is safe.

Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread.

Write-it-down-ly,
Doug

On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <davanum at gmail.com> wrote:

> Julien,
> 
> I believe all the lessons learned from defusedxml (see the release
> dates) have been folded back into the different libraries. For example
> plain old etree.fromstring() even without any special options is ok
> with the specially crafted xml bombs that you can find as test cases
> in defusedxml repo. There is some more information here as well
> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
> point, unless we see a new attack vector other than the ones that
> caused folks to whip up defusedxml, we should be good. So Option #2 is
> definitely the way to go
> 
> thanks,
> dims
> 
> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <julien at danjou.info> wrote:
>> On Mon, Sep 29 2014, Joshua Harlow wrote:
>> 
>>> Do we know that the users (keystone, neutron...) aren't vulnerable?
>>> 
>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems
>>> like we would likely still have issues if custom implementations are being
>>> used/created. Perhaps we should just use the defusedxml libraries until proven
>>> otherwise (better to be safe than sorry).
>> 
>> According to LP#1100282¹, Keystone and Neutron are supposed to not be
>> vulnerable with different fixes than Nova.
>> 
>> Since all the solutions are different, I'm not sure it covers the
>> problem in its entirety in all cases.
>> 
>> I see 2 options:
>> 1. Put effort to move all projects to defusedxml
>> 2. Since XML API are going to be deprecated (at least in Nova), move
>>   xmlutils to Nova and be done with it.
>> 
>> Solution 1 requires a lot more effort, and I wonder if it's worth it.
>> 
>> 
>> ¹  https://bugs.launchpad.net/bugs/1100282
>> 
>> --
>> Julien Danjou
>> // Free Software hacker
>> // http://julien.danjou.info
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
> 
> 
> 
> -- 
> Davanum Srinivas :: https://twitter.com/dims
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list