xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-22 01:22:00 +00:00
Code Issues Projects Releases Wiki Activity

Mitigate XML parse risks

Browse Source 
The intended xml never has !entity tags and
thus we can reject any such XML outright and
avoid billion laughs and similar abuses.
This commit is contained in:
Jarrod Johnson 2021-01-21 17:46:21 -05:00
parent 22dc852277
commit c8e1efecdb
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
confluent_server/confluent/discovery/handlers/smm.py
View File

@ -27,7 +27,12 @@ import confluent.netutil as netutil
import confluent.util as util
getaddrinfo = eventlet.support.greendns.getaddrinfo
from xml.etree.ElementTree import fromstring
from xml.etree.ElementTree import fromstring as rfromstring
def fromstring(inputdata):
if '!entity' in inputdata.lower():
raise Exception('!ENTITY not supported in this interface')
return rfromstring(inputdata)
def fixuuid(baduuid):
# SMM dumps it out in hex