[openstack-dev] [oslo] Fate of xmlutils
Ben Nemec
openstack at nemebean.com
Tue Sep 30 14:25:16 UTC 2014
This was also needed for Python 2.6, right? Do we have confirmation
that we can drop that for Kilo?
-Ben
On 09/30/2014 08:28 AM, Doug Hellmann wrote:
> I agree, it sounds like option 2 is safe.
>
> Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread.
>
> Write-it-down-ly,
> Doug
>
> On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <davanum at gmail.com> wrote:
>
>> Julien,
>>
>> I believe all the lessons learned from defusedxml (see the release
>> dates) have been folded back into the different libraries. For example
>> plain old etree.fromstring() even without any special options is ok
>> with the specially crafted xml bombs that you can find as test cases
>> in defusedxml repo. There is some more information here as well
>> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
>> point, unless we see a new attack vector other than the ones that
>> caused folks to whip up defusedxml, we should be good. So Option #2 is
>> definitely the way to go
>>
>> thanks,
>> dims
>>
>> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <julien at danjou.info> wrote:
>>> On Mon, Sep 29 2014, Joshua Harlow wrote:
>>>
>>>> Do we know that the users (keystone, neutron...) aren't vulnerable?
>>>>
>>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems
>>>> like we would likely still have issues if custom implementations are being
>>>> used/created. Perhaps we should just use the defusedxml libraries until proven
>>>> otherwise (better to be safe than sorry).
>>>
>>> According to LP#1100282¹, Keystone and Neutron are supposed to not be
>>> vulnerable with different fixes than Nova.
>>>
>>> Since all the solutions are different, I'm not sure it covers the
>>> problem in its entirety in all cases.
>>>
>>> I see 2 options:
>>> 1. Put effort to move all projects to defusedxml
>>> 2. Since XML API are going to be deprecated (at least in Nova), move
>>> xmlutils to Nova and be done with it.
>>>
>>> Solution 1 requires a lot more effort, and I wonder if it's worth it.
>>>
>>>
>>> ¹ https://bugs.launchpad.net/bugs/1100282
>>>
>>> --
>>> Julien Danjou
>>> // Free Software hacker
>>> // http://julien.danjou.info
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>> --
>> Davanum Srinivas :: https://twitter.com/dims
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list