Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 8237:57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
defusedxml will be used to moneypatch the problematic client and
server modules.
Test added using an xml bomb.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 29 Dec 2024 19:11:01 -0500 |
| parents | 2d0bd038fc5e |
| children | 6bd11a73f2ed |
comparison
equal
deleted
inserted
replaced
| 8236:2d0bd038fc5e | 8237:57325fea9982 |
|---|---|
| 156 + | 156 + |
| 157 # make sure none of the alts are owned by anyone other than us (x!=nodeid) | 157 # make sure none of the alts are owned by anyone other than us (x!=nodeid) |
| 158 | 158 |
| 159 add the lines marked with ``+`` in the file in the location after | 159 add the lines marked with ``+`` in the file in the location after |
| 160 check_main is assigned. | 160 check_main is assigned. |
| 161 | |
| 162 Defusedxml support improves XMLRPC security (optional) | |
| 163 ------------------------------------------------------ | |
| 164 | |
| 165 This release adds support for the defusedxml_ module. If it is | |
| 166 installed it will be automatically used. The default xmlrpc module in | |
| 167 the standard library has known issues when parsing crafted XML. It can | |
| 168 take a lot of CPU time and consume large amounts of memory with small | |
| 169 payloads. | |
| 170 | |
| 171 When the XMLRPC endpoint is used without defusedxml, it will log a | |
| 172 warning to the log file. The log entry can be disabled by adding:: | |
| 173 | |
| 174 | |
| 175 from roundup.cgi import client | |
| 176 client.WARN_FOR_MISSING_DEFUSEDXML = False | |
| 177 | |
| 178 to the ``interfaces.py`` file in the tracker home. (Create the file if | |
| 179 it is missing.) | |
| 180 | |
| 181 XMLRPC access is enabled by default in the classic and other trackers. | |
| 182 Upgrading to defusedxml is considered optional because the XMLRPC | |
| 183 endpoint can be disabled in the tracker's ``config.ini``. Also | |
| 184 ``Xmlrpc Access`` can be removed from the ``Users`` role by commenting | |
| 185 out a line in ``schema.py``. | |
| 186 | |
| 187 If you have enabled the xmlrpc endpoint, you should install | |
| 188 defusedxml. | |
| 189 | |
| 190 .. _defusedxml: https://pypi.org/project/defusedxml/ | |
| 161 | 191 |
| 162 More secure session cookie handling (info) | 192 More secure session cookie handling (info) |
| 163 ------------------------------------------ | 193 ------------------------------------------ |
| 164 | 194 |
| 165 This affects you if you are accessing a tracker via https. The name | 195 This affects you if you are accessing a tracker via https. The name |