mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-02 09:10:11 +02:00
use defusedxml to avoid DoS attacks while loading XML
This commit is contained in:
parent
cc94ebca30
commit
4d13a904f3
@ -28,6 +28,7 @@
|
||||
|
||||
|
||||
import collections
|
||||
import defusedxml.minidom
|
||||
import git
|
||||
import glob
|
||||
import os
|
||||
@ -36,7 +37,6 @@ import logging
|
||||
import requests
|
||||
import shutil
|
||||
import tempfile
|
||||
import xml.dom.minidom
|
||||
import zipfile
|
||||
from argparse import ArgumentParser
|
||||
|
||||
@ -94,7 +94,7 @@ For more info on this idea:
|
||||
continue
|
||||
dest = os.path.join(cpdir, f)
|
||||
if f.endswith('.xml'):
|
||||
doc = xml.dom.minidom.parse(repof)
|
||||
doc = defusedxml.minidom.parse(repof)
|
||||
output = doc.toprettyxml(encoding='utf-8')
|
||||
with open(dest, 'wb') as f:
|
||||
f.write(output)
|
||||
|
@ -39,7 +39,7 @@ import base64
|
||||
import zipfile
|
||||
import tempfile
|
||||
import json
|
||||
import xml.etree.ElementTree as XMLElementTree
|
||||
import defusedxml.ElementTree as XMLElementTree
|
||||
|
||||
from binascii import hexlify
|
||||
from datetime import datetime, timedelta
|
||||
@ -74,7 +74,6 @@ STANDARD_FILE_NAME_REGEX = re.compile(r'^(\w[\w.]*)_(-?[0-9]+)\.\w+')
|
||||
MAX_VERSION_CODE = 0x7fffffff # Java's Integer.MAX_VALUE (2147483647)
|
||||
|
||||
XMLNS_ANDROID = '{http://schemas.android.com/apk/res/android}'
|
||||
XMLElementTree.register_namespace('android', 'http://schemas.android.com/apk/res/android')
|
||||
|
||||
config = None
|
||||
options = None
|
||||
|
1
setup.py
1
setup.py
@ -69,6 +69,7 @@ setup(name='fdroidserver',
|
||||
install_requires=[
|
||||
'androguard >= 3.1.0rc2',
|
||||
'clint',
|
||||
'defusedxml',
|
||||
'GitPython',
|
||||
'mwclient',
|
||||
'paramiko',
|
||||
|
@ -681,6 +681,12 @@ class CommonTest(unittest.TestCase):
|
||||
sig = fdroidserver.common.metadata_find_developer_signature('org.smssecure.smssecure')
|
||||
self.assertEqual('b30bb971af0d134866e158ec748fcd553df97c150f58b0a963190bbafbeb0868', sig)
|
||||
|
||||
def test_parse_xml(self):
|
||||
manifest = os.path.join('source-files', 'fdroid', 'fdroidclient', 'AndroidManifest.xml')
|
||||
parsed = fdroidserver.common.parse_xml(manifest)
|
||||
self.assertIsNotNone(parsed)
|
||||
self.assertEqual(str(type(parsed)), "<class 'xml.etree.ElementTree.Element'>")
|
||||
|
||||
def test_parse_androidmanifests(self):
|
||||
app = fdroidserver.metadata.App()
|
||||
app.id = 'org.fdroid.fdroid'
|
||||
|
Loading…
Reference in New Issue
Block a user