security fixes

2024-12-02 22:03:53 +01:00
parent b33f59e636
commit a69384fdd3
4 changed files with 10 additions and 2 deletions
--- a/rowers/plannedsessions.py
+++ b/rowers/plannedsessions.py
@@ -888,6 +888,10 @@ def get_dates_timeperiod(request, startdatestring='', enddatestring='',
                startdate = timezone.now()-timezone.timedelta(days=5)
                startdate = startdate.date()
                enddate = timezone.now().date()
+            except parser.ParserError:
+                startdate = timezone.now()-timezone.timedelta(days=5)
+                startdate = startdate.date()
+                enddate = timezone.now().date()

        if startdate > enddate:
            e = startdate
--- a/rowers/tests/testdata/testdata.tcx.gz
+++ b/rowers/tests/testdata/testdata.tcx.gz
--- a/rowers/views/apiviews.py
+++ b/rowers/views/apiviews.py
@@ -2,7 +2,8 @@ from rowers.views.statements import *
 from rowers.tasks import handle_calctrimp
 from rowers.opaque import encoder
 from rowers.courses import coursetokml, coursestokml
-from xml.etree import ElementTree as ET
+#from xml.etree import ElementTree as ET
+from defusedxml import ElementTree as ET

 import arrow
 import pendulum
@@ -28,6 +29,8 @@ class XMLParser(BaseParser):
        dologging("apilog.log", "XML Parser")
        try:
            s = ET.parse(stream).getroot()
+        except ET.XMLSyntaxError:
+            return HttpResponse(status=400)
        except Exception as e: # pragma: no cover
            dologging("apilog.log",e)
            return HttpResponse(status=500)
--- a/rowers/weather.py
+++ b/rowers/weather.py
@@ -2,7 +2,8 @@ import requests
 from requests.exceptions import ConnectionError
 import json
 from lxml import objectify, etree
-import xml.etree.ElementTree as ET
+#import xml.etree.ElementTree as ET
+from defusedxml import ElementTree as ET
 import time
 from datetime import datetime
 from rowingdata import rowingdata, geo_distance