jmg
/
SOAPpy
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

fix cve CVE Requests

main
Mathieu Le Marec - Pasquet 10 years ago
parent
a38656817c
commit
64125a24aa
7 changed files with 60 additions and 55 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +21
    -2
      CHANGES.txt
  2. +2
    -0
      README.txt
  3. +0
    -0
      old.Changelog
  4. +3
    -42
      setup.py
  5. +29
    -9
      src/SOAPpy/Parser.py
  6. +5
    -2
      src/SOAPpy/version.py
  7. +0
    -0
      tests/vul_lol.txt

+ 21
- 2
CHANGES.txt View File

@@ -1,8 +1,27 @@
CHANGELOG
=====================

0.12.6 (unreleased)
-----------------------
0.12.19 (unreleased)
--------------------

- Nothing changed yet.


0.12.18 (2014-05-15)
--------------------

- better version handling [kiorky]


0.12.6 (2014-05-15)
-------------------
- display summary on pypi [kiorky]


0.12.6 (2014-05-15)
-------------------
- fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- LOL part
[kiorky]
- fix cve CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities -- XXE part
[kiorky]
- Remove dependency on fpconst.


+ 2
- 0
README.txt View File

@@ -2,6 +2,8 @@
SOAPpy - Simple to use SOAP library for Python
==============================================

.. contents::

Disclaimer
==========
Please use `suds <https://pypi.python.org/pypi/suds>`_ rather than SOAPpy.


ChangeLog → old.Changelog View File


+ 3
- 42
setup.py View File

@@ -11,53 +11,13 @@ def read(*rnames):
return "\n"+ open(
os.path.join('.', *rnames)
).read()




def load_version():
"""
Load the version number by executing the version file in a variable. This
way avoids executing the __init__.py file which load nearly everything in
the project, including fpconst which is not yet installed when this script
is executed.

Source: https://github.com/mitsuhiko/flask/blob/master/flask/config.py#L108
"""

import imp
from os import path

filename = path.join(path.dirname(__file__), 'src', 'SOAPpy', 'version.py')
d = imp.new_module('version')
d.__file__ = filename

try:
execfile(filename, d.__dict__)
except IOError, e:
e.strerror = 'Unable to load the version number (%s)' % e.strerror
raise

return d.__version__


__version__ = load_version()


url="https://github.com/kiorky/SOAPpy.git"

long_description="SOAPpy provides tools for building SOAP clients and servers. For more information see " + url\
+'\n'+read('README.txt')\
+'\n'+read('CHANGES.txt')\

if CVS:
import time
__version__ += "_CVS_" + time.strftime('%Y_%m_%d')


+'\n'+read('CHANGES.txt')
setup(
name="SOAPpy",
version=__version__,
version='0.12.19.dev0',
description="SOAP Services for Python",
maintainer="Gregory Warnes, kiorky",
maintainer_email="Gregory.R.Warnes@Pfizer.com, kiorky@cryptelium.net",
@@ -68,6 +28,7 @@ setup(
include_package_data=True,
install_requires=[
'wstools',
'defusedxml',
]
)


+ 29
- 9
src/SOAPpy/Parser.py View File

@@ -16,6 +16,10 @@ except ImportError:
try: from M2Crypto import SSL
except: pass

from defusedxml import expatreader
from defusedxml.common import DefusedXmlException


ident = '$Id: Parser.py 1497 2010-03-08 06:06:52Z pooryorick $'
from version import __version__

@@ -23,6 +27,11 @@ from version import __version__
################################################################################
# SOAP Parser
################################################################################

def make_parser(parser_list=[]):
return expatreader.create_parser()


class RefHolder:
def __init__(self, name, frame):
self.name = name
@@ -1041,27 +1050,38 @@ class EmptyEntityResolver(xml.sax.handler.EntityResolver):
return StringIO("<?xml version='1.0' encoding='UTF-8'?>")


def _parseSOAP(xml_str, rules = None, ignore_ext=None):
def _parseSOAP(xml_str, rules = None, ignore_ext=None,
forbid_entities=False, forbid_external=True, forbid_dtd=False):
inpsrc = xml.sax.xmlreader.InputSource()
inpsrc.setByteStream(StringIO(xml_str))
if ignore_ext is None:
ignore_ext = False

parser = xml.sax.make_parser()
parser = make_parser()
t = SOAPParser(rules=rules)
parser.setContentHandler(t)
e = xml.sax.handler.ErrorHandler()
parser.setErrorHandler(e)
errorHandler = xml.sax.handler.ErrorHandler()
parser.setErrorHandler(errorHandler)

inpsrc = xml.sax.xmlreader.InputSource()
inpsrc.setByteStream(StringIO(xml_str))

# disable by default entity loading on posted content
if ignore_ext:
parser.setEntityResolver(EmptyEntityResolver())
# disable by default entity loading on posted content
forbid_dtd = True
forbid_entities = True
forbid_external = True
parser.forbid_dtd = forbid_dtd
parser.forbid_entities = forbid_entities
parser.forbid_external = forbid_external
parser.setEntityResolver(EmptyEntityResolver())

# turn on namespace mangeling
parser.setFeature(xml.sax.handler.feature_namespaces, 1)

try:
parser.parse(inpsrc)
except DefusedXmlException, e:
parser._parser = None
print traceback.format_exc()
raise e
except xml.sax.SAXParseException, e:
parser._parser = None
print traceback.format_exc()


+ 5
- 2
src/SOAPpy/version.py View File

@@ -1,2 +1,5 @@
__version__="0.12.6"

try:
import pkg_resources
__version__ = pkg_resources.get_distribution("SOAPpy").version
except:
__version__="xxx"

vul_lol.txt → tests/vul_lol.txt View File


Write Preview
Loading…
Cancel
Save