Commit 072ee181 authored by jvoisin's avatar jvoisin

Remove defusedxml support and document why

parent 3649c0cc
......@@ -61,3 +61,11 @@ Images handling
When possible, images are handled like PDF: rendered on a surface, then saved
to the filesystem. This ensures that every metadata is removed.
XML attacks
Since our thread model conveniently excludes files crafted to specifically
bypass MAT2, fileformats containing harmful XML are out of our scope.
But since MAT2 is using [etree](
to process XML, it's "only" vulnerable to DoS, and not memory corruption:
odds are that the user will notice that the cleaning didn't succeed.
......@@ -7,11 +7,7 @@ import zipfile
import logging
from typing import Dict, Set, Pattern
try: # protect against DoS
from defusedxml import ElementTree as ET # type: ignore
except ImportError:
import xml.etree.ElementTree as ET # type: ignore
import xml.etree.ElementTree as ET # type: ignore
from . import abstract, parser_factory
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment