Fix XXE in XML parsing (related to #366)

This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue #366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
author: Florian Rüchel <fruechel@atlassian.com> 2016-10-31 11:56:48 +1100
committer: Florian Rüchel <fruechel@atlassian.com> 2016-10-31 11:56:48 +1100
commit: 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch)
tree: bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /src/saml2/pack.py
parent: 78261b9ae13c3855b33009cb1c5abc2c45839828 (diff)
download: pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/saml2/pack.py b/src/saml2/pack.py
index e4c14625..728a516f 100644
--- a/src/saml2/pack.py
+++ b/src/saml2/pack.py
@@ -37,6 +37,7 @@ except ImportError:
         import cElementTree as ElementTree
     except ImportError:
         from elementtree import ElementTree
+import defusedxml.ElementTree
 
 NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
 FORM_SPEC = """<form method="post" action="%s">
@@ -235,7 +236,7 @@ def parse_soap_enveloped_saml(text, body_class, header_class=None):
     :param text: The SOAP object as XML
     :return: header parts and body as saml.samlbase instances
     """
-    envelope = ElementTree.fromstring(text)
+    envelope = defusedxml.ElementTree.fromstring(text)
     assert envelope.tag == '{%s}Envelope' % NAMESPACE
 
     # print(len(envelope))
author	Florian Rüchel <fruechel@atlassian.com>	2016-10-31 11:56:48 +1100
committer	Florian Rüchel <fruechel@atlassian.com>	2016-10-31 11:56:48 +1100
commit	6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch)
tree	bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /src/saml2/pack.py
parent	78261b9ae13c3855b33009cb1c5abc2c45839828 (diff)
download	pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz