Julien, I believe all the lessons learned from defusedxml (see the release dates) have been folded back into the different libraries. For example plain old etree.fromstring() even without any special options is ok with the specially crafted xml bombs that you can find as test cases in defusedxml repo. There is some more information here as well (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this point, unless we see a new attack vector other than the ones that caused folks to whip up defusedxml, we should be good. So Option #2 is definitely the way to go
thanks, dims On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <jul...@danjou.info> wrote: > On Mon, Sep 29 2014, Joshua Harlow wrote: > >> Do we know that the users (keystone, neutron...) aren't vulnerable? >> >> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure >> seems >> like we would likely still have issues if custom implementations are being >> used/created. Perhaps we should just use the defusedxml libraries until >> proven >> otherwise (better to be safe than sorry). > > According to LP#1100282¹, Keystone and Neutron are supposed to not be > vulnerable with different fixes than Nova. > > Since all the solutions are different, I'm not sure it covers the > problem in its entirety in all cases. > > I see 2 options: > 1. Put effort to move all projects to defusedxml > 2. Since XML API are going to be deprecated (at least in Nova), move > xmlutils to Nova and be done with it. > > Solution 1 requires a lot more effort, and I wonder if it's worth it. > > > ¹ https://bugs.launchpad.net/bugs/1100282 > > -- > Julien Danjou > // Free Software hacker > // http://julien.danjou.info > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
