Used defusedxml to protect against XML vulnerabilities

setup.py

@@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
     'qrcode': ['qrcode'],
     'sound;platform_system=="Windows"': ['winsound'],
     'tor': ['stem'],
+    'xml': ['defusedxml'],
     'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
 }
 

src/api.py

@@ -17,10 +17,10 @@ import random  # nosec
 import socket
 import subprocess
 import time
+import xmlrpclib
 from binascii import hexlify, unhexlify
 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
 from struct import pack
-import xmlrpclib
 
 import defaults
 import helper_inbox
@@ -46,6 +46,14 @@ from inventory import Inventory
 from network.threads import StoppableThread
 from version import softwareVersion
 
+try:  # TODO: write tests for XML vulnerabilities
+    from defusedxml.xmlrpc import monkey_patch
+except ImportError:
+    logger.warning(
+        'defusedxml not available, only use API on a secure, closed network.')
+else:
+    monkey_patch()
+
 str_chan = '[chan]'
 str_broadcast_subscribers = '[Broadcast subscribers]'