Skip to content

Commit

Permalink
Replaces some etree.tostring calls, that were introduced recfently, b…
Browse files Browse the repository at this point in the history
…y the sanitized call provided by defusedxml . Release 2.2.3
  • Loading branch information
pitbulk committed Jun 15, 2017
1 parent 9dc6cbd commit 0799719
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 10 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ Python3: [python3-saml](https://github.com/onelogin/python3-saml).

#### Warning ####

Update python-saml to 2.2.3, this version replaces some etree.tostring calls, that were introduced recfently, by the sanitized call provided by defusedxml

Update python-saml to 2.2.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks. [CVE-2016-1000252](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000252/CVE-2016-1000252.json)

python-saml < v2.2.0 is vulnerable and allows signature wrapping!
Expand Down
4 changes: 4 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
# python-saml changelog
### 2.2.3 (Jun 15, 2017)
* Replace some etree.tostring calls, that were introduced recfently, by the sanitized call provided by defusedxml
* Update dm.xmlsec.binding requirement to 1.3.3 version

### 2.2.2 (May 18, 2017)
* Be able to relax SSL Certificate verification when retrieving idp metadata
* [#195](https://github.com/onelogin/python-saml/pull/195) Be able to register future SP x509cert on the settings and publish it on SP metadata
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

setup(
name='python-saml',
version='2.2.2',
version='2.2.3',
description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
classifiers=[
'Development Status :: 5 - Production/Stable',
Expand Down
4 changes: 2 additions & 2 deletions src/onelogin/saml2/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

from base64 import b64encode
from urllib import quote_plus
from lxml import etree
from defusedxml.lxml import tostring

from onelogin.saml2.settings import OneLogin_Saml2_Settings
from onelogin.saml2.response import OneLogin_Saml2_Response
Expand Down Expand Up @@ -486,7 +486,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
if isinstance(self.__last_response, basestring):
response = self.__last_response
else:
response = etree.tostring(self.__last_response, pretty_print=pretty_print_if_possible)
response = tostring(self.__last_response, pretty_print=pretty_print_if_possible)
return response

def get_last_request_xml(self):
Expand Down
7 changes: 3 additions & 4 deletions src/onelogin/saml2/response.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@

from base64 import b64decode
from copy import deepcopy
from lxml import etree
from defusedxml.lxml import fromstring
from defusedxml.lxml import tostring, fromstring
from xml.dom.minidom import Document

from onelogin.saml2.constants import OneLogin_Saml2_Constants
Expand Down Expand Up @@ -107,7 +106,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
if self.__settings.is_strict():
no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd'
res = OneLogin_Saml2_Utils.validate_xml(
etree.tostring(self.document),
tostring(self.document),
'saml-schema-protocol-2.0.xsd',
self.__settings.is_debug_active()
)
Expand All @@ -120,7 +119,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
# If encrypted, check also the decrypted document
if self.encrypted:
res = OneLogin_Saml2_Utils.validate_xml(
etree.tostring(self.decrypted_document),
tostring(self.decrypted_document),
'saml-schema-protocol-2.0.xsd',
self.__settings.is_debug_active()
)
Expand Down
6 changes: 3 additions & 3 deletions src/onelogin/saml2/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ def validate_xml(xml, schema, debug=False):

return 'invalid_xml'

return parseString(etree.tostring(dom, encoding='unicode').encode('utf-8'))
return parseString(tostring(dom, encoding='unicode').encode('utf-8'))

@staticmethod
def format_cert(cert, heads=True):
Expand Down Expand Up @@ -680,7 +680,7 @@ def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False, nq=None):

edata = enc_ctx.encryptXml(enc_data, elem[0])

newdoc = parseString(etree.tostring(edata, encoding='unicode').encode('utf-8'))
newdoc = parseString(tostring(edata, encoding='unicode').encode('utf-8'))

if newdoc.hasChildNodes():
child = newdoc.firstChild
Expand Down Expand Up @@ -897,7 +897,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
dsig_ctx.signKey = sign_key
dsig_ctx.sign(signature)

newdoc = parseString(etree.tostring(elem, encoding='unicode').encode('utf-8'))
newdoc = parseString(tostring(elem, encoding='unicode').encode('utf-8'))

signature_nodes = newdoc.getElementsByTagName("Signature")

Expand Down

0 comments on commit 0799719

Please sign in to comment.