cis-kuldeep/PyBitmessage-2021-04-27
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Used defusedxml to protect against XML vulnerabilities

Browse Source
This commit is contained in:
Dmitri Bogomolov 2018-10-25 13:57:21 +03:00
parent 2142888cbe
commit f4bf3bac2a
Signed by untrusted user: g1itch
GPG Key ID: 720A756F18DEED13
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
setup.py
View File

@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
'qrcode': ['qrcode'], 'qrcode': ['qrcode'],
'sound;platform_system=="Windows"': ['winsound'], 'sound;platform_system=="Windows"': ['winsound'],
'tor': ['stem'], 'tor': ['stem'],
'xml': ['defusedxml'],
'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r'] 'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
} }

10
src/api.py
View File

@ -17,10 +17,10 @@ import random # nosec
import socket import socket
import subprocess import subprocess
import time import time
import xmlrpclib
from binascii import hexlify, unhexlify from binascii import hexlify, unhexlify
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
from struct import pack from struct import pack
import xmlrpclib
import defaults import defaults
import helper_inbox import helper_inbox
@ -46,6 +46,14 @@ from inventory import Inventory
from network.threads import StoppableThread from network.threads import StoppableThread
from version import softwareVersion from version import softwareVersion
try: # TODO: write tests for XML vulnerabilities
from defusedxml.xmlrpc import monkey_patch
except ImportError:
logger.warning(
'defusedxml not available, only use API on a secure, closed network.')
else:
monkey_patch()
str_chan = '[chan]' str_chan = '[chan]'
str_broadcast_subscribers = '[Broadcast subscribers]' str_broadcast_subscribers = '[Broadcast subscribers]'