Add defusedxml as an (optional) way to prevent XML-based attacks

Those attacks are DoS-only.
author: jvoisin 2018-07-08 17:07:26 +0200
committer: jvoisin 2018-07-08 17:07:26 +0200
commit: f9bc022c96dd73f5d5551777c19536db2464f06a (patch)
tree: 1bb23b0d599564863a2d4fdddb63146a2324861c
parent: 72e1fda18d2788fb45c04e35a6447a56599c86ed (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libmat2/office.py b/libmat2/office.py
index 14621d4..0d0c795 100644
--- a/libmat2/office.py
+++ b/libmat2/office.py
@@ -4,8 +4,11 @@ import shutil
 import tempfile
 import datetime
 import zipfile
-import xml.etree.ElementTree as ET
 from typing import Dict, Set, Pattern
+try:  # protect against DoS
+    from defusedxml import ElementTree as ET
+except ImportError:
+    import xml.etree.ElementTree as ET
 from . import abstract, parser_factory
author	jvoisin	2018-07-08 17:07:26 +0200
committer	jvoisin	2018-07-08 17:07:26 +0200
commit	f9bc022c96dd73f5d5551777c19536db2464f06a (patch)
tree	1bb23b0d599564863a2d4fdddb63146a2324861c
parent	72e1fda18d2788fb45c04e35a6447a56599c86ed (diff)