Merge "Added to resolve Bandit: Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks.(DE893)"
This commit is contained in:
Jenkins
@@ -18,8 +18,9 @@ response with one formatted so the client can parse it.
|
|||||||
Based on pecan.middleware.errordocument
|
Based on pecan.middleware.errordocument
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from defusedxml import ElementTree
|
||||||
import json
|
import json
|
||||||
from xml import etree as et
|
# from xml import etree as et
|
||||||
|
|
||||||
import webob
|
import webob
|
||||||
|
|
||||||
@@ -69,11 +70,11 @@ class ParsableErrorMiddleware(object):
|
|||||||
== 'application/xml'):
|
== 'application/xml'):
|
||||||
try:
|
try:
|
||||||
# simple check xml is valid
|
# simple check xml is valid
|
||||||
body = [et.ElementTree.tostring(
|
body = [ElementTree.tostring(
|
||||||
et.ElementTree.fromstring('<error_message>'
|
ElementTree.fromstring('<error_message>'
|
||||||
+ '\n'.join(app_iter)
|
+ '\n'.join(app_iter)
|
||||||
+ '</error_message>'))]
|
+ '</error_message>'))]
|
||||||
except et.ElementTree.ParseError as err:
|
except ElementTree.ParseError as err:
|
||||||
LOG.error(_LE('Error parsing HTTP response: %s'), err)
|
LOG.error(_LE('Error parsing HTTP response: %s'), err)
|
||||||
body = ['<error_message>%s' % state['status_code']
|
body = ['<error_message>%s' % state['status_code']
|
||||||
+ '</error_message>']
|
+ '</error_message>']
|
||||||
|
|||||||
@@ -20,3 +20,4 @@ python-glanceclient>=0.15.0,<0.18.0
|
|||||||
python-neutronclient>=2.4.0,<2.5.0
|
python-neutronclient>=2.4.0,<2.5.0
|
||||||
python-novaclient>=2.22.0,<2.24.0
|
python-novaclient>=2.22.0,<2.24.0
|
||||||
WSME>=0.6,<0.7
|
WSME>=0.6,<0.7
|
||||||
|
defusedxml>=0.4.1
|
||||||
|
|||||||
Reference in New Issue
Block a user