Added to resolve Bandit: Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks.(DE893)
Change-Id: I4d04d2a219d61765f86ab45e8dbbb6d27a116687
This commit is contained in:
parent
fe9a473d51
commit
92de847823
|
@ -18,8 +18,9 @@ response with one formatted so the client can parse it.
|
|||
Based on pecan.middleware.errordocument
|
||||
"""
|
||||
|
||||
from defusedxml import ElementTree
|
||||
import json
|
||||
from xml import etree as et
|
||||
# from xml import etree as et
|
||||
|
||||
import webob
|
||||
|
||||
|
@ -69,11 +70,11 @@ class ParsableErrorMiddleware(object):
|
|||
== 'application/xml'):
|
||||
try:
|
||||
# simple check xml is valid
|
||||
body = [et.ElementTree.tostring(
|
||||
et.ElementTree.fromstring('<error_message>'
|
||||
+ '\n'.join(app_iter)
|
||||
+ '</error_message>'))]
|
||||
except et.ElementTree.ParseError as err:
|
||||
body = [ElementTree.tostring(
|
||||
ElementTree.fromstring('<error_message>'
|
||||
+ '\n'.join(app_iter)
|
||||
+ '</error_message>'))]
|
||||
except ElementTree.ParseError as err:
|
||||
LOG.error(_LE('Error parsing HTTP response: %s'), err)
|
||||
body = ['<error_message>%s' % state['status_code']
|
||||
+ '</error_message>']
|
||||
|
|
|
@ -20,3 +20,4 @@ python-glanceclient>=0.15.0,<0.18.0
|
|||
python-neutronclient>=2.4.0,<2.5.0
|
||||
python-novaclient>=2.22.0,<2.24.0
|
||||
WSME>=0.6,<0.7
|
||||
defusedxml>=0.4.1
|
||||
|
|
Loading…
Reference in New Issue