On Tue, Sep 30 2014, Davanum Srinivas wrote: > I believe all the lessons learned from defusedxml (see the release > dates) have been folded back into the different libraries. For example > plain old etree.fromstring() even without any special options is ok > with the specially crafted xml bombs that you can find as test cases > in defusedxml repo. There is some more information here as well > (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this > point, unless we see a new attack vector other than the ones that > caused folks to whip up defusedxml, we should be good. So Option #2 is > definitely the way to go
Thanks for this information dims! I'll start working on that ASAP. -- Julien Danjou -- Free Software hacker -- http://julien.danjou.info
signature.asc
Description: PGP signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev