Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 8237:57325fea9982

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml. defusedxml will be used to moneypatch the problematic client and server modules. Test added using an xml bomb.
author John Rouillard <rouilj@ieee.org>
date Sun, 29 Dec 2024 19:11:01 -0500
parents 9d2ad7386627
children 741ea8a86012
line wrap: on
line diff
--- a/roundup/cgi/client.py	Mon Dec 23 21:10:54 2024 -0500
+++ b/roundup/cgi/client.py	Sun Dec 29 19:11:01 2024 -0500
@@ -101,6 +101,9 @@
     msg_list.append(msg)
     return msg_list  # for unittests
 
+# if set to False via interfaces.py do not log a warning when
+# xmlrpc is used and defusedxml is not installed.
+WARN_FOR_MISSING_DEFUSEDXML = True
 
 default_err_msg = ''"""<html><head><title>An error has occurred</title></head>
 <body><h1>An error has occurred</h1>
@@ -656,6 +659,8 @@
             csrf_ok = False  # we had an error, failed check
 
         if csrf_ok is True:
+            if WARN_FOR_MISSING_DEFUSEDXML and (not xmlrpc_.client.defusedxml):
+                logger.warning(self._("XMLRPC endpoint is not using defusedxml. Improve security by installing defusedxml."))
             handler = xmlrpc.RoundupDispatcher(self.db,
                                                self.instance.actions,
                                                self.translator,
Roundup Issue Tracker: http://roundup-tracker.org/