On 2016-09-27 10:24:02 -0700 (-0700), Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > that can be performed when XML is parsed from untrusted input. DefusedXML > offers safe alternatives to XML parsing libraries but is not currently part > of global requirements. > > I propose adding DefusedXML to global requirements so that projects have an > option for safe XML parsing. Does anybody have any thoughts or objections?
An addition to global requirements is generally accompanied by direct use in at least one project getting requirements synchronization. We have semi-regular efforts to find and "clean up" requirements which are not used by any projects, to keep the list to as sane a length as is reasonably possible and reduce its testing/tracking surface area. Getting defusedxml implemented by at least one project in the projects.txt file of the requirements repo would be a good idea both as a demonstration that it's a viable tool and also as a precaution against its later removal due to lack of use. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev