From f4bf3bac2a54c18af022be503bca42a8e8377f51 Mon Sep 17 00:00:00 2001 From: Dmitri Bogomolov <4glitch@gmail.com> Date: Thu, 25 Oct 2018 13:57:21 +0300 Subject: [PATCH] Used defusedxml to protect against XML vulnerabilities --- setup.py | 1 + src/api.py | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 3e585b6b..a6f7844c 100644 --- a/setup.py +++ b/setup.py @@ -17,6 +17,7 @@ EXTRAS_REQUIRE = { 'qrcode': ['qrcode'], 'sound;platform_system=="Windows"': ['winsound'], 'tor': ['stem'], + 'xml': ['defusedxml'], 'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r'] } diff --git a/src/api.py b/src/api.py index 7c498dd1..0a38a7d6 100644 --- a/src/api.py +++ b/src/api.py @@ -17,10 +17,10 @@ import random # nosec import socket import subprocess import time +import xmlrpclib from binascii import hexlify, unhexlify from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer from struct import pack -import xmlrpclib import defaults import helper_inbox @@ -46,6 +46,14 @@ from inventory import Inventory from network.threads import StoppableThread from version import softwareVersion +try: # TODO: write tests for XML vulnerabilities + from defusedxml.xmlrpc import monkey_patch +except ImportError: + logger.warning( + 'defusedxml not available, only use API on a secure, closed network.') +else: + monkey_patch() + str_chan = '[chan]' str_broadcast_subscribers = '[Broadcast subscribers]'