Mercurial > p > roundup > code
comparison doc/xmlrpc.txt @ 8237:57325fea9982
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
defusedxml will be used to moneypatch the problematic client and
server modules.
Test added using an xml bomb.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 29 Dec 2024 19:11:01 -0500 |
| parents | e34b69d75ff7 |
| children |
comparison
equal
deleted
inserted
replaced
| 8236:2d0bd038fc5e | 8237:57325fea9982 |
|---|---|
| 77 | 77 |
| 78 Both the standalone and embedded roundup XML endpoints used the | 78 Both the standalone and embedded roundup XML endpoints used the |
| 79 default python XML parser. This parser is know to have security | 79 default python XML parser. This parser is know to have security |
| 80 issues. For details see: https://pypi.org/project/defusedxml/. | 80 issues. For details see: https://pypi.org/project/defusedxml/. |
| 81 You may wish to use the rest interface which doesn't have the same | 81 You may wish to use the rest interface which doesn't have the same |
| 82 issues. Patches with tests to roundup to use defusedxml are welcome. | 82 issues. If you install defusedxml, it will be automatically used to add |
| 83 some additional protection. | |
| 83 | 84 |
| 84 .. caution:: | 85 .. caution:: |
| 85 | 86 |
| 86 The current standalone ``roundup-xmlrpc-server`` implementation | 87 The current standalone ``roundup-xmlrpc-server`` implementation |
| 87 does not support SSL. This means that usernames and passwords will | 88 does not support SSL. This means that usernames and passwords will |