diff options
| author | Tom Christie | 2013-02-22 13:17:22 +0000 |
|---|---|---|
| committer | Tom Christie | 2013-02-22 13:17:22 +0000 |
| commit | dcee027fa97f015ff3b87f0fd72b7995cdd6e155 (patch) | |
| tree | 676f581fe03c4a3e01d479756c590f75dc4aab4a /rest_framework/parsers.py | |
| parent | b261515afa18a5d2a38d729b174bbd99ddee14ac (diff) | |
| download | django-rest-framework-dcee027fa97f015ff3b87f0fd72b7995cdd6e155.tar.bz2 | |
defusedxml for security fix.
As per:
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Diffstat (limited to 'rest_framework/parsers.py')
| -rw-r--r-- | rest_framework/parsers.py | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/rest_framework/parsers.py b/rest_framework/parsers.py index 06b02226..7bbb5f94 100644 --- a/rest_framework/parsers.py +++ b/rest_framework/parsers.py @@ -9,11 +9,9 @@ from django.conf import settings from django.http import QueryDict from django.http.multipartparser import MultiPartParser as DjangoMultiPartParser from django.http.multipartparser import MultiPartParserError -from rest_framework.compat import yaml, ETParseError, ET_XMLParser +from rest_framework.compat import yaml, etree from rest_framework.exceptions import ParseError from rest_framework.compat import six -from xml.etree import ElementTree as ET -from xml.parsers.expat import ExpatError import json import datetime import decimal @@ -80,6 +78,8 @@ class YAMLParser(BaseParser): `data` will be an object which is the parsed content of the response. `files` will always be `None`. """ + assert yaml, 'YAMLParser requires pyyaml to be installed' + parser_context = parser_context or {} encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET) @@ -146,12 +146,14 @@ class XMLParser(BaseParser): media_type = 'application/xml' def parse(self, stream, media_type=None, parser_context=None): + assert etree, 'XMLParser requires defusedxml to be installed' + parser_context = parser_context or {} encoding = parser_context.get('encoding', settings.DEFAULT_CHARSET) - parser = ET_XMLParser(encoding=encoding) + parser = etree.DefusedXMLParser(encoding=encoding) try: - tree = ET.parse(stream, parser=parser) - except (ExpatError, ETParseError, ValueError) as exc: + tree = etree.parse(stream, parser=parser) + except (etree.ParseError, ValueError) as exc: raise ParseError('XML parse error - %s' % six.u(exc)) data = self._xml_convert(tree.getroot()) |