[openstack-dev] [Security] [requirements] XML Attacks and DefusedXML on Global Requirements
Jeremy Stanley
fungi at yuggoth.org
Tue Sep 27 17:33:37 UTC 2016
On 2016-09-27 10:24:02 -0700 (-0700), Travis McPeak wrote:
> There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> that can be performed when XML is parsed from untrusted input. DefusedXML
> offers safe alternatives to XML parsing libraries but is not currently part
> of global requirements.
>
> I propose adding DefusedXML to global requirements so that projects have an
> option for safe XML parsing. Does anybody have any thoughts or objections?
An addition to global requirements is generally accompanied by
direct use in at least one project getting requirements
synchronization. We have semi-regular efforts to find and "clean up"
requirements which are not used by any projects, to keep the list
to as sane a length as is reasonably possible and reduce its
testing/tracking surface area.
Getting defusedxml implemented by at least one project in the
projects.txt file of the requirements repo would be a good idea both
as a demonstration that it's a viable tool and also as a precaution
against its later removal due to lack of use.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list