mirrors/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-04-03 21:27:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Protect against XML DOS attacks

Browse source 
Only XML content from authenticated users is parsed.
This commit is contained in:
Unrud 2020-01-19 18:39:31 +01:00
parent 562d3aacec
commit e11661ff3e
3 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
radicale/app/__init__.py
View file

@ -37,6 +37,7 @@ import zlib
from http import client
from xml.etree import ElementTree as ET
import defusedxml.ElementTree as DefusedET
import pkg_resources
from radicale import (auth, httputils, log, pathutils, rights, storage, web,
@ -355,7 +356,7 @@ class Application(
if not content:
return None
try:
xml_content = ET.fromstring(content)
xml_content = DefusedET.fromstring(content)
except ET.ParseError as e:
logger.debug("Request content (Invalid XML):\n%s", content)
raise RuntimeError("Failed to parse XML: %s" % e) from e