mirror of
https://github.com/xcat2/confluent.git
synced 2024-12-25 12:41:39 +00:00
Mitigate XML parse risks
The intended xml never has !entity tags and thus we can reject any such XML outright and avoid billion laughs and similar abuses.
This commit is contained in:
parent
22dc852277
commit
c8e1efecdb
@ -27,7 +27,12 @@ import confluent.netutil as netutil
|
||||
import confluent.util as util
|
||||
getaddrinfo = eventlet.support.greendns.getaddrinfo
|
||||
|
||||
from xml.etree.ElementTree import fromstring
|
||||
from xml.etree.ElementTree import fromstring as rfromstring
|
||||
|
||||
def fromstring(inputdata):
|
||||
if '!entity' in inputdata.lower():
|
||||
raise Exception('!ENTITY not supported in this interface')
|
||||
return rfromstring(inputdata)
|
||||
|
||||
def fixuuid(baduuid):
|
||||
# SMM dumps it out in hex
|
||||
|
Loading…
Reference in New Issue
Block a user