git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1732155] Re: bandit report: use defusedxml to avoid XML attack


It doesn't cover everything, but at least the defusedxml.lxml module is
deprecated and it has been suggested libxml has been updated enough to
no longer need this.

Some discussion here: https://github.com/PyCQA/bandit/issues/435

** Changed in: cinder
       Status: In Progress => Invalid

** Changed in: cinder
       Status: Invalid => Won't Fix

** Bug watch added: github.com/PyCQA/bandit/issues #435
   https://github.com/PyCQA/bandit/issues/435

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1732155

Title:
  bandit report: use defusedxml to avoid XML attack

Status in Cinder:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  According to
  https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html

  Using various XLM methods to parse untrusted XML data is known to be
  vulnerable to XML attacks. Methods should be replaced with their
  defusedxml equivalents.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions