Use defusedxml that will prevent XEE and other attacks based on the abuse of XML. Release 2.1.6

Author: pitbulk

README.md

@@ -14,6 +14,8 @@ This version supports Python3, There is a separate version that only support Pyt
 
 #### Warning ####
 
+Release 1.2.6 adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
+
 Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
 
 1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
@@ -80,7 +82,9 @@ Installation
 
  * python 2.7 // python 3.3
  * [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library.
- * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/duration parser and formatter
+ * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/
+ duration parser and formatter
+ * [defusedxml](https://pypi.python.org/pypi/defusedxml) XML bomb protection for Python stdlib modules
 
 Review the setup.py file to know the version of the library that python3-saml is using
 

changelog.md

@@ -1,4 +1,7 @@
 # python3-saml changelog
+### 1.2.6 (Jun 15, 2017)
+* Use defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672)
+
 ### 1.2.5 (Jun 2, 2017)
 * Fix issue related with multicers (multicerts were not used on response validation)
 ### 1.2.4 (May 18, 2017)

setup.py

@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.2.5',
+    version='1.2.6',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
@@ -34,7 +34,8 @@
     test_suite='tests',
     install_requires=[
         'isodate>=0.5.0',
-        'xmlsec>=0.6.0'
+        'xmlsec>=0.6.0',
+        'defusedxml==0.5.0'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={

src/onelogin/saml2/auth.py

@@ -13,6 +13,7 @@
 
 import xmlsec
 from lxml import etree
+from defusedxml.lxml import tostring
 
 from onelogin.saml2 import compat
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
@@ -606,7 +607,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
             if isinstance(self.__last_response, compat.str_type):
                 response = self.__last_response
             else:
-                response = etree.tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
+                response = tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
         return response
 
     def get_last_request_xml(self):

src/onelogin/saml2/xml_utils.py

@@ -11,6 +11,7 @@
 
 from os.path import join, dirname
 from lxml import etree
+from defusedxml.lxml import tostring, fromstring
 from onelogin.saml2 import compat
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 
@@ -21,10 +22,10 @@
 
 class OneLogin_Saml2_XML(object):
     _element_class = type(etree.Element('root'))
-    _parse_etree = staticmethod(etree.fromstring)
+    _parse_etree = staticmethod(fromstring)
     _schema_class = etree.XMLSchema
     _text_class = compat.text_types
-    _unparse_etree = staticmethod(etree.tostring)
+    _unparse_etree = staticmethod(tostring)
 
     dump = staticmethod(etree.dump)
     make_root = staticmethod(etree.Element)