Used defusedxml to protect against XML vulnerabilities
This commit is contained in:
parent
2142888cbe
commit
f4bf3bac2a
1
setup.py
1
setup.py
|
@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
|
|||
'qrcode': ['qrcode'],
|
||||
'sound;platform_system=="Windows"': ['winsound'],
|
||||
'tor': ['stem'],
|
||||
'xml': ['defusedxml'],
|
||||
'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
|
||||
}
|
||||
|
||||
|
|
10
src/api.py
10
src/api.py
|
@ -17,10 +17,10 @@ import random # nosec
|
|||
import socket
|
||||
import subprocess
|
||||
import time
|
||||
import xmlrpclib
|
||||
from binascii import hexlify, unhexlify
|
||||
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
|
||||
from struct import pack
|
||||
import xmlrpclib
|
||||
|
||||
import defaults
|
||||
import helper_inbox
|
||||
|
@ -46,6 +46,14 @@ from inventory import Inventory
|
|||
from network.threads import StoppableThread
|
||||
from version import softwareVersion
|
||||
|
||||
try: # TODO: write tests for XML vulnerabilities
|
||||
from defusedxml.xmlrpc import monkey_patch
|
||||
except ImportError:
|
||||
logger.warning(
|
||||
'defusedxml not available, only use API on a secure, closed network.')
|
||||
else:
|
||||
monkey_patch()
|
||||
|
||||
str_chan = '[chan]'
|
||||
str_broadcast_subscribers = '[Broadcast subscribers]'
|
||||
|
||||
|
|
Reference in New Issue
Block a user