From b29e07846f088437575c7bd74f5672c1b29baf5a Mon Sep 17 00:00:00 2001 From: croneter Date: Wed, 5 Sep 2018 17:36:38 +0200 Subject: [PATCH] Safely parse XMLs using defusedxml --- addon.xml | 1 + resources/lib/downloadutils.py | 2 +- resources/lib/utils.py | 5 +++-- resources/lib/websocket_client.py | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/addon.xml b/addon.xml index 6a49b165..e632d92e 100644 --- a/addon.xml +++ b/addon.xml @@ -3,6 +3,7 @@ + diff --git a/resources/lib/downloadutils.py b/resources/lib/downloadutils.py index 6ad5d8b0..3ae64e7c 100644 --- a/resources/lib/downloadutils.py +++ b/resources/lib/downloadutils.py @@ -2,7 +2,7 @@ # -*- coding: utf-8 -*- from __future__ import absolute_import, division, unicode_literals from logging import getLogger -import xml.etree.ElementTree as etree +import defusedxml.ElementTree as etree # etree parse unsafe import requests from . import utils diff --git a/resources/lib/utils.py b/resources/lib/utils.py index 0194605e..9f3ee06a 100644 --- a/resources/lib/utils.py +++ b/resources/lib/utils.py @@ -13,6 +13,7 @@ from StringIO import StringIO from time import localtime, strftime from unicodedata import normalize import xml.etree.ElementTree as etree +import defusedxml.ElementTree as defused_etree # etree parse unsafe from functools import wraps, partial from urllib import quote_plus import hashlib @@ -669,7 +670,7 @@ class XmlKodiSetting(object): def __enter__(self): try: - self.tree = etree.parse(self.path) + self.tree = defused_etree.parse(self.path) except IOError: # Document is blank or missing if self.force_create is False: @@ -828,7 +829,7 @@ def passwords_xml(): path = path_ops.translate_path('special://userdata/') xmlpath = "%spasswords.xml" % path try: - xmlparse = etree.parse(xmlpath) + xmlparse = defused_etree.parse(xmlpath) except IOError: # Document is blank or missing root = etree.Element('passwords') diff --git a/resources/lib/websocket_client.py b/resources/lib/websocket_client.py index 13f0b793..ff81c30f 100644 --- a/resources/lib/websocket_client.py +++ b/resources/lib/websocket_client.py @@ -2,7 +2,7 @@ # -*- coding: utf-8 -*- from logging import getLogger from json import loads -import xml.etree.ElementTree as etree +import defusedxml.ElementTree as etree # etree parse unsafe from threading import Thread from ssl import CERT_NONE from xbmc import sleep