commit: 908a711df2180e3cbcdf8ec873bbe7bf809135db
Author: Matthew Thode gentoo org>
AuthorDate: Wed Jan 11 03:00:40 2017 +
Commit: Matt Thode gentoo org>
CommitDate: Wed Jan 11 03:01:03 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=908a711d
dev-python/pysaml2: fix xxe in pysaml2
Package-Manager: portage-2.3.0
dev-python/pysaml2/files/xxe-4.0.2.patch | 305 +
dev-python/pysaml2/pysaml2-4.0.2-r1.ebuild | 37
2 files changed, 342 insertions(+)
diff --git a/dev-python/pysaml2/files/xxe-4.0.2.patch
b/dev-python/pysaml2/files/xxe-4.0.2.patch
new file mode 100644
index ..8e1a2ef
--- /dev/null
+++ b/dev-python/pysaml2/files/xxe-4.0.2.patch
@@ -0,0 +1,305 @@
+diff -Naur pysaml2/setup.py pysaml2.new/setup.py
+--- pysaml2/setup.py 2015-12-06 00:46:33.0 -0600
pysaml2.new/setup.py 2017-01-10 20:31:43.387413477 -0600
+@@ -17,6 +17,7 @@
+ 'pytz',
+ 'pyOpenSSL',
+ 'python-dateutil',
++'defusedxml',
+ 'six'
+ ]
+
+diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py
+--- pysaml2/src/saml2/__init__.py 2016-01-07 05:53:57.0 -0600
pysaml2.new/src/saml2/__init__.py 2017-01-10 20:34:04.171641116 -0600
+@@ -35,6 +35,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+
+ root_logger = logging.getLogger(__name__)
+ root_logger.level = logging.NOTSET
+@@ -86,7 +87,7 @@
+ """
+ if not isinstance(xml_string, six.binary_type):
+ xml_string = xml_string.encode('utf-8')
+-tree = ElementTree.fromstring(xml_string)
++tree = defusedxml.ElementTree.fromstring(xml_string)
+ return create_class_from_element_tree(target_class, tree)
+
+
+@@ -268,7 +269,7 @@
+
+
+ def extension_element_from_string(xml_string):
+-element_tree = ElementTree.fromstring(xml_string)
++element_tree = defusedxml.ElementTree.fromstring(xml_string)
+ return _extension_element_from_element_tree(element_tree)
+
+
+diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py
+--- pysaml2/src/saml2/pack.py 2015-12-11 07:31:39.0 -0600
pysaml2.new/src/saml2/pack.py 2017-01-10 20:35:35.382435020 -0600
+@@ -37,6 +37,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+
+ NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/;
+ FORM_SPEC = """
+@@ -235,7 +236,7 @@
+ :param text: The SOAP object as XML
+ :return: header parts and body as saml.samlbase instances
+ """
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ assert envelope.tag == '{%s}Envelope' % NAMESPACE
+
+ # print(len(envelope))
+diff -Naur pysaml2/src/saml2/soap.py pysaml2.new/src/saml2/soap.py
+--- pysaml2/src/saml2/soap.py 2015-05-18 02:54:05.0 -0500
pysaml2.new/src/saml2/soap.py 2017-01-10 20:36:16.163808770 -0600
+@@ -19,6 +19,7 @@
+ except ImportError:
+ #noinspection PyUnresolvedReferences
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+
+
+ logger = logging.getLogger(__name__)
+@@ -133,7 +134,7 @@
+ :param expected_tags: What the tag of the SAML thingy is expected to be.
+ :return: SAML thingy as a string
+ """
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+
+ # Make sure it's a SOAP message
+ assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE
+@@ -183,7 +184,7 @@
+ :return: The body and headers as class instances
+ """
+ try:
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ except Exception as exc:
+ raise XmlParseError("%s" % exc)
+
+@@ -209,7 +210,7 @@
+ :return: dictionary with two keys "body"/"header"
+ """
+ try:
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ except Exception as exc:
+ raise XmlParseError("%s" % exc)
+
+diff -Naur pysaml2/tests/test_03_saml2.py pysaml2.new/tests/test_03_saml2.py
+--- pysaml2/tests/test_03_saml2.py 2015-06-06 02:15:20.0 -0500
pysaml2.new/tests/test_03_saml2.py 2017-01-10 20:38:32.541728380 -0600
+@@ -17,6 +17,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++from defusedxml.common import EntitiesForbidden
+
+ ITEMS = {
+ NameID: ["""
+@@ -27,7 +28,7 @@
+
+ """, """
+ https://foo.example.com/sp;
++ SPNameQualifier="https://foo.example.com/sp;
+
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c
+ """, """
+
+ http://192.168.0.10/saml/sp; />""",
+