This was also needed for Python 2.6, right? Do we have confirmation that we can drop that for Kilo?
-Ben On 09/30/2014 08:28 AM, Doug Hellmann wrote: > I agree, it sounds like option 2 is safe. > > Julien, I updated your commit message on > https://review.openstack.org/#/c/125021/ to point to this thread. > > Write-it-down-ly, > Doug > > On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <dava...@gmail.com> wrote: > >> Julien, >> >> I believe all the lessons learned from defusedxml (see the release >> dates) have been folded back into the different libraries. For example >> plain old etree.fromstring() even without any special options is ok >> with the specially crafted xml bombs that you can find as test cases >> in defusedxml repo. There is some more information here as well >> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this >> point, unless we see a new attack vector other than the ones that >> caused folks to whip up defusedxml, we should be good. So Option #2 is >> definitely the way to go >> >> thanks, >> dims >> >> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <jul...@danjou.info> wrote: >>> On Mon, Sep 29 2014, Joshua Harlow wrote: >>> >>>> Do we know that the users (keystone, neutron...) aren't vulnerable? >>>> >>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure >>>> seems >>>> like we would likely still have issues if custom implementations are being >>>> used/created. Perhaps we should just use the defusedxml libraries until >>>> proven >>>> otherwise (better to be safe than sorry). >>> >>> According to LP#1100282¹, Keystone and Neutron are supposed to not be >>> vulnerable with different fixes than Nova. >>> >>> Since all the solutions are different, I'm not sure it covers the >>> problem in its entirety in all cases. >>> >>> I see 2 options: >>> 1. Put effort to move all projects to defusedxml >>> 2. Since XML API are going to be deprecated (at least in Nova), move >>> xmlutils to Nova and be done with it. >>> >>> Solution 1 requires a lot more effort, and I wonder if it's worth it. >>> >>> >>> ¹ https://bugs.launchpad.net/bugs/1100282 >>> >>> -- >>> Julien Danjou >>> // Free Software hacker >>> // http://julien.danjou.info >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStackfirstname.lastname@example.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStackemail@example.com >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStackfirstname.lastname@example.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev