diff options
author | Florian Rüchel <fruechel@atlassian.com> | 2016-10-31 11:56:48 +1100 |
---|---|---|
committer | Florian Rüchel <fruechel@atlassian.com> | 2016-10-31 11:56:48 +1100 |
commit | 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch) | |
tree | bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /src/saml2/pack.py | |
parent | 78261b9ae13c3855b33009cb1c5abc2c45839828 (diff) | |
download | pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz |
Fix XXE in XML parsing (related to #366)
This fixes XXE issues on anything where pysaml2 parses XML directly as part of
issue #366. It doesn't address the xmlsec issues discussed on that ticket as
they are out of reach of a direct fix and need the underlying library to fix
this issue.
Diffstat (limited to 'src/saml2/pack.py')
-rw-r--r-- | src/saml2/pack.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/saml2/pack.py b/src/saml2/pack.py index e4c14625..728a516f 100644 --- a/src/saml2/pack.py +++ b/src/saml2/pack.py @@ -37,6 +37,7 @@ except ImportError: import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +import defusedxml.ElementTree NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" FORM_SPEC = """<form method="post" action="%s"> @@ -235,7 +236,7 @@ def parse_soap_enveloped_saml(text, body_class, header_class=None): :param text: The SOAP object as XML :return: header parts and body as saml.samlbase instances """ - envelope = ElementTree.fromstring(text) + envelope = defusedxml.ElementTree.fromstring(text) assert envelope.tag == '{%s}Envelope' % NAMESPACE # print(len(envelope)) |