security fixes

2024-12-02 22:03:53 +01:00
parent b33f59e636
commit a69384fdd3
4 changed files with 10 additions and 2 deletions
--- a/rowers/views/apiviews.py
+++ b/rowers/views/apiviews.py
@@ -2,7 +2,8 @@ from rowers.views.statements import *
 from rowers.tasks import handle_calctrimp
 from rowers.opaque import encoder
 from rowers.courses import coursetokml, coursestokml
-from xml.etree import ElementTree as ET
+#from xml.etree import ElementTree as ET
+from defusedxml import ElementTree as ET

 import arrow
 import pendulum
@@ -28,6 +29,8 @@ class XMLParser(BaseParser):
        dologging("apilog.log", "XML Parser")
        try:
            s = ET.parse(stream).getroot()
+        except ET.XMLSyntaxError:
+            return HttpResponse(status=400)
        except Exception as e: # pragma: no cover
            dologging("apilog.log",e)
            return HttpResponse(status=500)