I agree, it sounds like option 2 is safe. Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread.
Write-it-down-ly, Doug On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <dava...@gmail.com> wrote: > Julien, > > I believe all the lessons learned from defusedxml (see the release > dates) have been folded back into the different libraries. For example > plain old etree.fromstring() even without any special options is ok > with the specially crafted xml bombs that you can find as test cases > in defusedxml repo. There is some more information here as well > (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this > point, unless we see a new attack vector other than the ones that > caused folks to whip up defusedxml, we should be good. So Option #2 is > definitely the way to go > > thanks, > dims > > On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <jul...@danjou.info> wrote: >> On Mon, Sep 29 2014, Joshua Harlow wrote: >> >>> Do we know that the users (keystone, neutron...) aren't vulnerable? >>> >>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure >>> seems >>> like we would likely still have issues if custom implementations are being >>> used/created. Perhaps we should just use the defusedxml libraries until >>> proven >>> otherwise (better to be safe than sorry). >> >> According to LP#1100282¹, Keystone and Neutron are supposed to not be >> vulnerable with different fixes than Nova. >> >> Since all the solutions are different, I'm not sure it covers the >> problem in its entirety in all cases. >> >> I see 2 options: >> 1. Put effort to move all projects to defusedxml >> 2. Since XML API are going to be deprecated (at least in Nova), move >> xmlutils to Nova and be done with it. >> >> Solution 1 requires a lot more effort, and I wonder if it's worth it. >> >> >> ¹ https://bugs.launchpad.net/bugs/1100282 >> >> -- >> Julien Danjou >> // Free Software hacker >> // http://julien.danjou.info >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Davanum Srinivas :: https://twitter.com/dims > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
