security fixes

rowers/plannedsessions.py

@@ -888,6 +888,10 @@ def get_dates_timeperiod(request, startdatestring='', enddatestring='',
                 startdate = timezone.now()-timezone.timedelta(days=5)
                 startdate = startdate.date()
                 enddate = timezone.now().date()
+            except parser.ParserError:
+                startdate = timezone.now()-timezone.timedelta(days=5)
+                startdate = startdate.date()
+                enddate = timezone.now().date()
 
         if startdate > enddate:
             e = startdate

rowers/views/apiviews.py

@@ -2,7 +2,8 @@ from rowers.views.statements import *
 from rowers.tasks import handle_calctrimp
 from rowers.opaque import encoder
 from rowers.courses import coursetokml, coursestokml
-from xml.etree import ElementTree as ET
+#from xml.etree import ElementTree as ET
+from defusedxml import ElementTree as ET
 
 import arrow
 import pendulum
@@ -28,6 +29,8 @@ class XMLParser(BaseParser):
         dologging("apilog.log", "XML Parser")
         try:
             s = ET.parse(stream).getroot()
+        except ET.XMLSyntaxError:
+            return HttpResponse(status=400)
         except Exception as e: # pragma: no cover
             dologging("apilog.log",e)
             return HttpResponse(status=500)

rowers/weather.py

@@ -2,7 +2,8 @@ import requests
 from requests.exceptions import ConnectionError
 import json
 from lxml import objectify, etree
-import xml.etree.ElementTree as ET
+#import xml.etree.ElementTree as ET
+from defusedxml import ElementTree as ET
 import time
 from datetime import datetime
 from rowingdata import rowingdata, geo_distance