openstack/cinder
Code Issues Proposed changes
cinder/requirements.txt
Sean McGinnis 4137c33922 Use defusedxml for XML parsing 
The built-in xml module has some vulnerabilities to several known
XML attacks. While the chances of this are limited with the way
it is being used by some of the volume drivers, it is still a
security risk that has been identified and has a mostly painless
way to be mitigated with the defusedxml package [1].

There are still some drivers performing XML parsing that are not
covered by this patch. They need closer analysis to see how to
best switch to the defusedxml equivalents.

This patch covers the instances where it was a mostly drop in and
replace from the native xml functionality to the defusedxml
alternatives.

[1] https://github.com/tiran/defusedxml/blob/master/README.md

Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b
Partial-bug: #1732155
2017-12-16 17:44:14 -06:00

68 lines
2.3 KiB
Plaintext
Raw Blame History

# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
pbr!=2.1.0,>=2.0.0 # Apache-2.0
Babel!=2.4.0,>=2.3.4 # BSD
decorator>=3.4.0 # BSD
defusedxml>=0.5.0 # PSF
enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
greenlet>=0.4.10 # MIT
httplib2>=0.9.1 # MIT
iso8601>=0.1.11 # MIT
jsonschema<3.0.0,>=2.6.0 # MIT
ipaddress>=1.0.16;python_version<'3.3' # PSF
keystoneauth1>=3.3.0 # Apache-2.0
keystonemiddleware>=4.17.0 # Apache-2.0
lxml!=3.7.0,>=3.4.1 # BSD
oauth2client!=4.0.0,>=1.5.0 # Apache-2.0
oslo.config>=5.1.0 # Apache-2.0
oslo.concurrency>=3.20.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0
oslo.db>=4.27.0 # Apache-2.0
oslo.log>=3.30.0 # Apache-2.0
oslo.messaging>=5.29.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
oslo.privsep>=1.23.0 # Apache-2.0
oslo.reports>=1.18.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.service>=1.24.0 # Apache-2.0
oslo.utils>=3.31.0 # Apache-2.0
oslo.versionedobjects>=1.28.0 # Apache-2.0
osprofiler>=1.4.0 # Apache-2.0
paramiko>=2.0.0 # LGPLv2.1+
Paste>=2.0.2 # MIT
PasteDeploy>=1.5.0 # MIT
PrettyTable<0.8,>=0.7.1 # BSD
psutil>=3.2.2 # BSD
pyparsing>=2.1.0 # MIT
python-barbicanclient!=4.5.0,!=4.5.1,>=4.0.0 # Apache-2.0
python-glanceclient>=2.8.0 # Apache-2.0
python-keystoneclient>=3.8.0 # Apache-2.0
python-novaclient>=9.1.0 # Apache-2.0
python-swiftclient>=3.2.0 # Apache-2.0
pytz>=2013.6 # MIT
requests>=2.14.2 # Apache-2.0
retrying!=1.3.0,>=1.2.3 # Apache-2.0
Routes>=2.3.1 # MIT
taskflow>=2.7.0 # Apache-2.0
rtslib-fb!=2.1.60,!=2.1.61,>=2.1.43 # Apache-2.0
simplejson>=3.5.1 # MIT
six>=1.10.0 # MIT
SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
sqlalchemy-migrate>=0.11.0 # Apache-2.0
stevedore>=1.20.0 # Apache-2.0
suds-jurko>=0.6 # LGPLv3+
WebOb>=1.7.1 # MIT
oslo.i18n>=3.15.3 # Apache-2.0
oslo.vmware>=2.17.0 # Apache-2.0
os-brick>=2.1.1 # Apache-2.0
os-win>=2.0.0 # Apache-2.0
tooz>=1.58.0 # Apache-2.0
google-api-python-client>=1.4.2 # Apache-2.0
castellan>=0.14.0 # Apache-2.0
cryptography!=2.0,>=1.9 # BSD/Apache-2.0
View Git Blame Copy Permalink