Protect against XML DOS attacks

Only XML content from authenticated users is parsed.
2025-08-22 19:20:54 +00:00 · 2020-01-19 18:39:31 +01:00 · 2020-01-19 18:39:31 +01:00 · e11661ff3e
commit e11661ff3e
parent 562d3aacec
3 changed files with 6 additions and 4 deletions
--- a/radicale/app/init.py
+++ b/radicale/app/init.py
@ -37,6 +37,7 @@ import zlib
 from http import client
 from xml.etree import ElementTree as ET

+import defusedxml.ElementTree as DefusedET
 import pkg_resources

 from radicale import (auth, httputils, log, pathutils, rights, storage, web,
@ -355,7 +356,7 @@ class Application(
        if not content:
            return None
        try:
-            xml_content = ET.fromstring(content)
+            xml_content = DefusedET.fromstring(content)
        except ET.ParseError as e:
            logger.debug("Request content (Invalid XML):\n%s", content)
            raise RuntimeError("Failed to parse XML: %s" % e) from e
--- a/radicale/tests/test_base.py
+++ b/radicale/tests/test_base.py
@ -26,9 +26,9 @@ import posixpath
 import shutil
 import sys
 import tempfile
-import xml.etree.ElementTree as ET
 from functools import partial

+import defusedxml.ElementTree as DefusedET
 import pytest

 from radicale import Application, config, storage
@ -1161,7 +1161,7 @@ class BaseRequestsMixIn:
        if sync_token and status == 409:
            return None, None
        assert status == 207
-        xml = ET.fromstring(answer)
+        xml = DefusedET.fromstring(answer)
        sync_token = xml.find("{DAV:}sync-token").text.strip()
        assert sync_token
        return sync_token, xml