Replace xml defusedxml

xml was considered as vulnerable to different atacks. It is recommended to replace this library with defused_xml Change-Id: I2b146dc34ada37a3ed9ecf49513d024a8ca2fb19 Related-Bug: #1625402
2018-01-25 15:11:39 +04:00 · 2018-01-25 15:11:39 +04:00 · 6e82ea023a
parent 828770dd67
commit 6e82ea023a
3 changed files with 5 additions and 4 deletions
--- a/glance/async/flows/ovf_process.py
+++ b/glance/async/flows/ovf_process.py
@ -19,9 +19,9 @@ import shutil
 import tarfile

 try:
-    import xml.etree.cElementTree as ET
+    from defusedxml import cElementTree as ET
 except ImportError:
-    import xml.etree.ElementTree as ET
+    from defusedxml import ElementTree as ET

 from oslo_config import cfg
 from oslo_log import log as logging
--- a/glance/tests/unit/async/flows/test_ovf_process.py
+++ b/glance/tests/unit/async/flows/test_ovf_process.py
@ -20,9 +20,9 @@ import tempfile

 import mock
 try:
-    from xml.etree.cElementTree import ParseError
+    from defusedxml.cElementTree import ParseError
 except ImportError:
-    from xml.etree.ElementTree import ParseError
+    from defusedxml.ElementTree import ParseError

 from glance.async.flows import ovf_process
 import glance.tests.utils as test_utils
--- a/requirements.txt
+++ b/requirements.txt
@ -3,6 +3,7 @@
 # process, which may cause wedges in the gate later.

 pbr!=2.1.0,>=2.0.0 # Apache-2.0
+defusedxml>=0.5.0 # PSF

 # < 0.8.0/0.8 does not work, see https://bugs.launchpad.net/bugs/1153983
 SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT