mloesch / sickle

Sickle: OAI-PMH for Humans
Other
106 stars 42 forks source link

Add argument to XML parser to prohibit loading entities #18

Closed usask-rc closed 7 years ago

usask-rc commented 7 years ago

Description of problem, and the fix for it, at this URL: https://mikeknoop.com/lxml-xxe-exploit/

usask-rc commented 7 years ago

More reading: https://pypi.python.org/pypi/defusedxml

From my reading, lxml won't load external resources, however with a malicious XML document it could deliver the contents of a local file to an attacker.