On Tue, Sep 30 2014, Davanum Srinivas wrote:

> I believe all the lessons learned from defusedxml (see the release
> dates) have been folded back into the different libraries. For example
> plain old etree.fromstring() even without any special options is ok
> with the specially crafted xml bombs that you can find as test cases
> in defusedxml repo. There is some more information here as well
> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
> point, unless we see a new attack vector other than the ones that
> caused folks to whip up defusedxml, we should be good. So Option #2 is
> definitely the way to go

Thanks for this information dims! I'll start working on that ASAP.

Julien Danjou
-- Free Software hacker
-- http://julien.danjou.info

Attachment: signature.asc
Description: PGP signature

OpenStack-dev mailing list

Reply via email to