mirrors/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-04-03 21:27:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Protect against XML DOS attacks

Browse source 
Only XML content from authenticated users is parsed.
This commit is contained in:
Unrud 2020-01-19 18:39:31 +01:00
parent 562d3aacec
commit e11661ff3e
3 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
radicale/tests/test_base.py
View file

@ -26,9 +26,9 @@ import posixpath
import shutil
import sys
import tempfile
import xml.etree.ElementTree as ET
from functools import partial
import defusedxml.ElementTree as DefusedET
import pytest
from radicale import Application, config, storage
@ -1161,7 +1161,7 @@ class BaseRequestsMixIn:
if sync_token and status == 409:
return None, None
assert status == 207
xml = ET.fromstring(answer)
xml = DefusedET.fromstring(answer)
sync_token = xml.find("{DAV:}sync-token").text.strip()
assert sync_token
return sync_token, xml