Skip to content

Commit 634cd40

Browse files
committed
Use defusedxml that will prevent XEE and other attacks based on the abuse of XML. Release 2.1.6
1 parent f45794f commit 634cd40

File tree

5 files changed

+16
-6
lines changed

5 files changed

+16
-6
lines changed

README.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ This version supports Python3, There is a separate version that only support Pyt
1414

1515
#### Warning ####
1616

17+
Release 1.2.6 adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
18+
1719
Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
1820

1921
1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
@@ -80,7 +82,9 @@ Installation
8082

8183
* python 2.7 // python 3.3
8284
* [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library.
83-
* [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/duration parser and formatter
85+
* [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/
86+
duration parser and formatter
87+
* [defusedxml](https://pypi.python.org/pypi/defusedxml) XML bomb protection for Python stdlib modules
8488

8589
Review the setup.py file to know the version of the library that python3-saml is using
8690

changelog.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
# python3-saml changelog
2+
### 1.2.6 (Jun 15, 2017)
3+
* Use defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672)
4+
25
### 1.2.5 (Jun 2, 2017)
36
* Fix issue related with multicers (multicerts were not used on response validation)
47
### 1.2.4 (May 18, 2017)

setup.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
setup(
1111
name='python3-saml',
12-
version='1.2.5',
12+
version='1.2.6',
1313
description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
1414
classifiers=[
1515
'Development Status :: 5 - Production/Stable',
@@ -34,7 +34,8 @@
3434
test_suite='tests',
3535
install_requires=[
3636
'isodate>=0.5.0',
37-
'xmlsec>=0.6.0'
37+
'xmlsec>=0.6.0',
38+
'defusedxml==0.5.0'
3839
],
3940
dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
4041
extras_require={

src/onelogin/saml2/auth.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313

1414
import xmlsec
1515
from lxml import etree
16+
from defusedxml.lxml import tostring
1617

1718
from onelogin.saml2 import compat
1819
from onelogin.saml2.settings import OneLogin_Saml2_Settings
@@ -606,7 +607,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
606607
if isinstance(self.__last_response, compat.str_type):
607608
response = self.__last_response
608609
else:
609-
response = etree.tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
610+
response = tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
610611
return response
611612

612613
def get_last_request_xml(self):

src/onelogin/saml2/xml_utils.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
from os.path import join, dirname
1313
from lxml import etree
14+
from defusedxml.lxml import tostring, fromstring
1415
from onelogin.saml2 import compat
1516
from onelogin.saml2.constants import OneLogin_Saml2_Constants
1617

@@ -21,10 +22,10 @@
2122

2223
class OneLogin_Saml2_XML(object):
2324
_element_class = type(etree.Element('root'))
24-
_parse_etree = staticmethod(etree.fromstring)
25+
_parse_etree = staticmethod(fromstring)
2526
_schema_class = etree.XMLSchema
2627
_text_class = compat.text_types
27-
_unparse_etree = staticmethod(etree.tostring)
28+
_unparse_etree = staticmethod(tostring)
2829

2930
dump = staticmethod(etree.dump)
3031
make_root = staticmethod(etree.Element)

0 commit comments

Comments
 (0)