There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker <email at daviey.com> wrote: > > > On 27 September 2016 at 19:19, Sean Dague <sean at dague.net> wrote: > >> On 09/27/2016 01:24 PM, Travis McPeak wrote: >> > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) >> > that can be performed when XML is parsed from untrusted input. >> > DefusedXML offers safe alternatives to XML parsing libraries but is not >> > currently part of global requirements. >> > >> > I propose adding DefusedXML to global requirements so that projects have >> > an option for safe XML parsing. Does anybody have any thoughts or >> > objections? >> >> Out of curiosity, are there specific areas of concern in existing >> projects here? Most projects have dropped XML API support. >> >> > Outbound XML datasources which are parsed still used with at least nova > vmware support and multiple cinder drivers. > > openstack/ec2-api is still providing an xml api service? > > -- > Kind Regards, > Dave Walker > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160927/758be2ba/attachment.html>