Merge "Mitigate possible XML denial of service"

2026-04-01 15:53:32 +00:00 · 2021-01-22 14:46:03 +00:00
parent e44f309d93 22d0489c73
commit 5db7eebe57
2 changed files with 14 additions and 2 deletions
--- a/pyghmi/ipmi/oem/lenovo/config.py
+++ b/pyghmi/ipmi/oem/lenovo/config.py
@@ -44,6 +44,12 @@ CLOSE_COMMAND = [0x05]
 SIZE_COMMAND = [0x06]


+def fromstring(inputdata):
+    if '!entity' in inputdata:
+        raise Exception('Unsupported XML')
+    return etree.fromstring(inputdata)
+
+
 def run_command_with_retry(connection, data):
    tries = 15
    while tries:
@@ -265,7 +271,7 @@ class LenovoFirmwareConfig(object):
            self.connection.ipmi_session.pause(2)
        if not data:
            raise Exception("BMC failed to return configuration information")
-        xml = etree.fromstring(data)
+        xml = fromstring(data)
        sortid = 0
        for config in xml.iter("config"):
            lenovo_id = config.get("ID")
--- a/pyghmi/ipmi/oem/lenovo/nextscale.py
+++ b/pyghmi/ipmi/oem/lenovo/nextscale.py
@@ -15,7 +15,7 @@
 import fnmatch
 import struct
 import weakref
-from xml.etree.ElementTree import fromstring
+from xml.etree.ElementTree import fromstring as rfromstring
 import zipfile

 import six
@@ -37,6 +37,12 @@ except NameError:
    pass


+def fromstring(inputdata):
+    if '!entity' in inputdata.lower():
+        raise Exception('!ENTITY not supported in this interface')
+    return rfromstring(inputdata)
+
+
 def stringtoboolean(originput, name):
    input = originput.lower()
    try: