Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

defusedxml is deprecated (by his author)

See original GitHub issue

Hi, In this issue the author said no more need of defusedxml but bandit still recommend it.

https://github.com/tiran/defusedxml/issues/25 defusedxml.lxml is no longer needed and supported. Nowadays libxml2 has builtin limitation for entity expansion.

What I can find about these vulnerabilities, libxml2 seems to have been patched in 2013, ref : CVE-2013-1664 CVE-2013-1665

They have been patched on EL6 and never existed on EL7

Best regards,

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:5 (3 by maintainers)

Top GitHub Comments

2reactions

Poilcommented, Feb 4, 2019

Hi,

OK but today we have a warning on from lxml import etree and on all etree call If defusedxml.lxml is deprecated we should not have a warning on these, no ?

Best regards,

1reaction

gilbsgilbscommented, Jun 19, 2019

Hi. @lukehinds could you please re-open or reply to @Poil? I am also affected by this and I am not sure what to do. ~Shouldn’t lxml be whitelisted by bandit?~ Thanks!

Edit: I guess this is the issue to track: https://github.com/tiran/defusedxml/issues/38 ? It should be safe to use defusedxml.lxml until a better solution is found by them.