From 1bec2c005d741eb91108c35c908a77e85a3f2894 Mon Sep 17 00:00:00 2001 From: Daniel Welch Date: Wed, 18 Oct 2017 10:21:46 -0400 Subject: [PATCH] using defusedxml ElementTree for safer parsing of untrusted XML data (#9934) * using defusexml ElementTree for safer parsing of untrusted XML data * move from core dependency to platform specific dependency * style difference: put back end of list comma in setup.py --- homeassistant/components/device_tracker/upc_connect.py | 5 ++++- requirements_all.txt | 3 +++ requirements_test_all.txt | 3 +++ script/gen_requirements_all.py | 1 + 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/homeassistant/components/device_tracker/upc_connect.py b/homeassistant/components/device_tracker/upc_connect.py index a6646c8d0a1..338ce34048e 100644 --- a/homeassistant/components/device_tracker/upc_connect.py +++ b/homeassistant/components/device_tracker/upc_connect.py @@ -6,7 +6,6 @@ https://home-assistant.io/components/device_tracker.upc_connect/ """ import asyncio import logging -import xml.etree.ElementTree as ET import aiohttp import async_timeout @@ -19,6 +18,8 @@ from homeassistant.const import CONF_HOST from homeassistant.helpers.aiohttp_client import async_get_clientsession +REQUIREMENTS = ['defusedxml==0.5.0'] + _LOGGER = logging.getLogger(__name__) DEFAULT_IP = '192.168.0.1' @@ -63,6 +64,8 @@ class UPCDeviceScanner(DeviceScanner): @asyncio.coroutine def async_scan_devices(self): """Scan for new devices and return a list with found device IDs.""" + import defusedxml.ElementTree as ET + if self.token is None: token_initialized = yield from self.async_initialize_token() if not token_initialized: diff --git a/requirements_all.txt b/requirements_all.txt index 81e84f344cb..dd52fbbc5d3 100644 --- a/requirements_all.txt +++ b/requirements_all.txt @@ -177,6 +177,9 @@ datapoint==0.4.3 # homeassistant.components.light.decora_wifi # decora_wifi==1.3 +# homeassistant.components.device_tracker.upc_connect +defusedxml==0.5.0 + # homeassistant.components.media_player.denonavr denonavr==0.5.4 diff --git a/requirements_test_all.txt b/requirements_test_all.txt index 2348aa7fca4..4fbfaef6912 100644 --- a/requirements_test_all.txt +++ b/requirements_test_all.txt @@ -36,6 +36,9 @@ aiohttp_cors==0.5.3 # homeassistant.components.notify.apns apns2==0.1.1 +# homeassistant.components.device_tracker.upc_connect +defusedxml==0.5.0 + # homeassistant.components.sensor.dsmr dsmr_parser==0.11 diff --git a/script/gen_requirements_all.py b/script/gen_requirements_all.py index 02c07f57adb..314acc4b4f7 100755 --- a/script/gen_requirements_all.py +++ b/script/gen_requirements_all.py @@ -37,6 +37,7 @@ TEST_REQUIREMENTS = ( 'aioautomatic', 'aiohttp_cors', 'apns2', + 'defusedxml', 'dsmr_parser', 'ephem', 'evohomeclient',