[openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
Sean Dague
sean at dague.net
Tue Sep 27 18:19:14 UTC 2016
On 09/27/2016 01:24 PM, Travis McPeak wrote:
> There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> that can be performed when XML is parsed from untrusted input.
> DefusedXML offers safe alternatives to XML parsing libraries but is not
> currently part of global requirements.
>
> I propose adding DefusedXML to global requirements so that projects have
> an option for safe XML parsing. Does anybody have any thoughts or
> objections?
Out of curiosity, are there specific areas of concern in existing
projects here? Most projects have dropped XML API support.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list