Remove defusedxml support and document why
This commit is contained in:
jvoisin
parent
3649c0ccaf
commit
072ee1814d
@ -61,3 +61,11 @@ Images handling
|
|||||||
When possible, images are handled like PDF: rendered on a surface, then saved
|
When possible, images are handled like PDF: rendered on a surface, then saved
|
||||||
to the filesystem. This ensures that every metadata is removed.
|
to the filesystem. This ensures that every metadata is removed.
|
||||||
|
|
||||||
|
XML attacks
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Since our thread model conveniently excludes files crafted to specifically
|
||||||
|
bypass MAT2, fileformats containing harmful XML are out of our scope.
|
||||||
|
But since MAT2 is using [etree](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)
|
||||||
|
to process XML, it's "only" vulnerable to DoS, and not memory corruption:
|
||||||
|
odds are that the user will notice that the cleaning didn't succeed.
|
||||||
|
|||||||
@ -7,11 +7,7 @@ import zipfile
|
|||||||
import logging
|
import logging
|
||||||
from typing import Dict, Set, Pattern
|
from typing import Dict, Set, Pattern
|
||||||
|
|
||||||
try: # protect against DoS
|
import xml.etree.ElementTree as ET # type: ignore
|
||||||
from defusedxml import ElementTree as ET # type: ignore
|
|
||||||
except ImportError:
|
|
||||||
import xml.etree.ElementTree as ET # type: ignore
|
|
||||||
|
|
||||||
|
|
||||||
from . import abstract, parser_factory
|
from . import abstract, parser_factory
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user