1
0
mirror of synced 2024-11-26 03:04:22 +01:00

Remove defusedxml support and document why

This commit is contained in:
jvoisin 2018-09-05 18:41:08 +02:00
parent 3649c0ccaf
commit 072ee1814d
2 changed files with 9 additions and 5 deletions

View File

@ -61,3 +61,11 @@ Images handling
When possible, images are handled like PDF: rendered on a surface, then saved When possible, images are handled like PDF: rendered on a surface, then saved
to the filesystem. This ensures that every metadata is removed. to the filesystem. This ensures that every metadata is removed.
XML attacks
-----------
Since our thread model conveniently excludes files crafted to specifically
bypass MAT2, fileformats containing harmful XML are out of our scope.
But since MAT2 is using [etree](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)
to process XML, it's "only" vulnerable to DoS, and not memory corruption:
odds are that the user will notice that the cleaning didn't succeed.

View File

@ -7,12 +7,8 @@ import zipfile
import logging import logging
from typing import Dict, Set, Pattern from typing import Dict, Set, Pattern
try: # protect against DoS
from defusedxml import ElementTree as ET # type: ignore
except ImportError:
import xml.etree.ElementTree as ET # type: ignore import xml.etree.ElementTree as ET # type: ignore
from . import abstract, parser_factory from . import abstract, parser_factory
# Make pyflakes happy # Make pyflakes happy