Used defusedxml to protect against XML vulnerabilities
This commit is contained in:
parent
2142888cbe
commit
f4bf3bac2a
1
setup.py
1
setup.py
|
@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
|
||||||
'qrcode': ['qrcode'],
|
'qrcode': ['qrcode'],
|
||||||
'sound;platform_system=="Windows"': ['winsound'],
|
'sound;platform_system=="Windows"': ['winsound'],
|
||||||
'tor': ['stem'],
|
'tor': ['stem'],
|
||||||
|
'xml': ['defusedxml'],
|
||||||
'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
|
'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
10
src/api.py
10
src/api.py
|
@ -17,10 +17,10 @@ import random # nosec
|
||||||
import socket
|
import socket
|
||||||
import subprocess
|
import subprocess
|
||||||
import time
|
import time
|
||||||
|
import xmlrpclib
|
||||||
from binascii import hexlify, unhexlify
|
from binascii import hexlify, unhexlify
|
||||||
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
|
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
|
||||||
from struct import pack
|
from struct import pack
|
||||||
import xmlrpclib
|
|
||||||
|
|
||||||
import defaults
|
import defaults
|
||||||
import helper_inbox
|
import helper_inbox
|
||||||
|
@ -46,6 +46,14 @@ from inventory import Inventory
|
||||||
from network.threads import StoppableThread
|
from network.threads import StoppableThread
|
||||||
from version import softwareVersion
|
from version import softwareVersion
|
||||||
|
|
||||||
|
try: # TODO: write tests for XML vulnerabilities
|
||||||
|
from defusedxml.xmlrpc import monkey_patch
|
||||||
|
except ImportError:
|
||||||
|
logger.warning(
|
||||||
|
'defusedxml not available, only use API on a secure, closed network.')
|
||||||
|
else:
|
||||||
|
monkey_patch()
|
||||||
|
|
||||||
str_chan = '[chan]'
|
str_chan = '[chan]'
|
||||||
str_broadcast_subscribers = '[Broadcast subscribers]'
|
str_broadcast_subscribers = '[Broadcast subscribers]'
|
||||||
|
|
||||||
|
|
Reference in New Issue
Block a user