[python-ldap] Anyone using python-ldap's dsml module?

Michael Ströder michael at stroeder.com
Tue Aug 15 11:31:14 EDT 2017


Is anyone here using the dsml module shipped with python-ldap?

Rather I'd like to drop dsml module from python-ldap for these reasons:
- it only supports DSMLv1
- AFAIK no-one uses it anyway
- it's stand-alone and could be easily shipped as separate module if needed
- I have no spare-time maintaining it

So if anyone would like use it any longer speak up now.

See below the output of static code analyser bandit
(see https://pypi.python.org/pypi/bandit) for the reason why I'm asking.
I won't spend time for investigating this in detail.

Ciao, Michael.

-------------------------------------- snip -------------------------------------------
Run started:2017-08-15 15:22:12.836064

Test results:
>> Issue: [B406:blacklist] Using xml.sax to parse untrusted XML data is known to be
vulnerable to XML attacks. Replace xml.sax with the equivalent defusedxml package, or
make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: Lib/dsml.py:153
153       import xml.sax,xml.sax.handler

>> Issue: [B317:blacklist] Using xml.sax.make_parser to parse untrusted XML data is known
to be vulnerable to XML attacks. Replace xml.sax.make_parser with its defusedxml
equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   Location: Lib/dsml.py:279
278           self.records_read = 0
279           self._parser = xml.sax.make_parser()
280           self._parser.setFeature(xml.sax.handler.feature_namespaces,0)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20170815/2d067c88/attachment.bin>

More information about the python-ldap mailing list