--- file_not_specified_in_diff +++ file_not_specified_in_diff @@ -, +, @@ This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue #366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue. . The patch has been backported form the 3.0 branch to 2.0 by zigo@debian.org. --- python-pysaml2-2.0.0.orig/setup.py +++ python-pysaml2-2.0.0/setup.py @@ -46,7 +46,8 @@ install_requires = [ 'pycrypto', # 'Crypto' 'pytz', 'pyOpenSSL', - 'python-dateutil' + 'python-dateutil', + 'defusedxml' ] tests_require = [ --- python-pysaml2-2.0.0.orig/src/saml2/__init__.py +++ python-pysaml2-2.0.0/src/saml2/__init__.py @@ -33,6 +33,7 @@ except ImportError: import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +import defusedxml.ElementTree root_logger = logging.getLogger(__name__) root_logger.level = logging.NOTSET @@ -82,7 +83,7 @@ def create_class_from_xml_string(target_ the contents of the XML - or None if the root XML tag and namespace did not match those of the target class. """ - tree = ElementTree.fromstring(xml_string) + tree = defusedxml.ElementTree.fromstring(xml_string) return create_class_from_element_tree(target_class, tree) @@ -264,7 +265,7 @@ class ExtensionElement(object): def extension_element_from_string(xml_string): - element_tree = ElementTree.fromstring(xml_string) + element_tree = defusedxml.ElementTree.fromstring(xml_string) return _extension_element_from_element_tree(element_tree) --- python-pysaml2-2.0.0.orig/src/saml2/pack.py +++ python-pysaml2-2.0.0/src/saml2/pack.py @@ -48,6 +48,7 @@ except ImportError: import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +import defusedxml.ElementTree NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" FORM_SPEC = """