Skip to content
Snippets Groups Projects
Commit 072ee181 authored by Julien (jvoisin) Voisin's avatar Julien (jvoisin) Voisin
Browse files

Remove defusedxml support and document why

parent 3649c0cc
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
doc/implementation_notes.md
+ 8
0
View file @ 072ee181
...@@ -61,3 +61,11 @@ Images handling ...@@ -61,3 +61,11 @@ Images handling
When possible, images are handled like PDF: rendered on a surface, then saved When possible, images are handled like PDF: rendered on a surface, then saved
to the filesystem. This ensures that every metadata is removed. to the filesystem. This ensures that every metadata is removed.
XML attacks
-----------
Since our thread model conveniently excludes files crafted to specifically
bypass MAT2, fileformats containing harmful XML are out of our scope.
But since MAT2 is using [etree](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)
to process XML, it's "only" vulnerable to DoS, and not memory corruption:
odds are that the user will notice that the cleaning didn't succeed.
libmat2/office.py
+ 1
5
View file @ 072ee181
...@@ -7,11 +7,7 @@ import zipfile ...@@ -7,11 +7,7 @@ import zipfile
import logging import logging
from typing import Dict, Set, Pattern from typing import Dict, Set, Pattern
try: # protect against DoS import xml.etree.ElementTree as ET # type: ignore
from defusedxml import ElementTree as ET # type: ignore
except ImportError:
import xml.etree.ElementTree as ET # type: ignore
from . import abstract, parser_factory from . import abstract, parser_factory
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment