-
Notifications
You must be signed in to change notification settings - Fork 264
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xml.dom.minidom.parseString to parse untrusted XML is vulnerable to attack #346
Comments
can i take up this issue? |
Yes please |
Can you tell what I am supposed to do? @cclauss |
@starlord1311 you have to use a defusedxml function to do the role similar to that of xml.dom.minidom.parseString because the latter is not a safe choice , susceptible to different threats (eg. billion laughs attack ) |
Agreed...
|
@starlord1311, you working on this? |
3 tasks
starlord1311
pushed a commit
to starlord1311/query-server
that referenced
this issue
Dec 11, 2017
Lookup scrapers by name, not by initial (fossasia#327) Add support for Python 3 (fossasia#343) Fixes fossasia#357 Add Mojeek in README (fossasia#358) Lookup scrapers by name, not by initial (fossasia#327) Fixes fossasia#357 Add Mojeek in README (fossasia#358) Lookup scrapers by name, not by initial (fossasia#327) changesmade to server.py to prevent XML attacks defusedxml
vaibhavsingh97
pushed a commit
that referenced
this issue
Dec 11, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.codacy.com/app/fossasia/query-server/issues says: app/server.py
Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function.
Line 71: xmlfeed = parseString(
I'm submitting a ...
Current behavior:
Expected behavior:
Steps to reproduce:
The text was updated successfully, but these errors were encountered: