2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-12-25 12:41:39 +00:00

Mitigate XML parse risks

The intended xml never has !entity tags and
thus we can reject any such XML outright and
avoid billion laughs and similar abuses.
This commit is contained in:
Jarrod Johnson 2021-01-21 17:46:21 -05:00
parent 22dc852277
commit c8e1efecdb

View File

@ -27,7 +27,12 @@ import confluent.netutil as netutil
import confluent.util as util
getaddrinfo = eventlet.support.greendns.getaddrinfo
from xml.etree.ElementTree import fromstring
from xml.etree.ElementTree import fromstring as rfromstring
def fromstring(inputdata):
if '!entity' in inputdata.lower():
raise Exception('!ENTITY not supported in this interface')
return rfromstring(inputdata)
def fixuuid(baduuid):
# SMM dumps it out in hex