Skip to content

Commit

Permalink
xmlrpclib replaced with xmlrpc in Python3 (#1012)
Browse files Browse the repository at this point in the history
The xmlrpclib of Python 2.x was replaced in Python 3 with
xmlrpc [1]. Since Bandit no longer supports Python 2.x, it needs
to update to the latest module name.

As indicted in [2], xmlrpc is still not secure against maliciously
constructed data.

[1] https://python.readthedocs.io/en/v2.7.2/library/xmlrpclib.html
[2] https://docs.python.org/3/library/xmlrpc.client.html#module-xmlrpc.client

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
  • Loading branch information
ericwb authored Apr 3, 2023
1 parent af6b436 commit 3260f13
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions bandit/blacklists/imports.py
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@
+------+---------------------+------------------------------------+-----------+
| ID | Name | Imports | Severity |
+======+=====================+====================================+===========+
| B411 | import_xmlrpclib | - xmlrpclib | high |
| B411 | import_xmlrpclib | - xmlrpc | high |
+------+---------------------+------------------------------------+-----------+
B412: import_httpoxy
Expand Down Expand Up @@ -374,7 +374,7 @@ def gen_blacklist():
"import_xmlrpclib",
"B411",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xmlrpclib"],
["xmlrpc"],
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
"function to monkey-patch xmlrpclib and mitigate XML "
Expand Down
2 changes: 1 addition & 1 deletion examples/xml_xmlrpc.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import xmlrpclib
import xmlrpc
from SimpleXMLRPCServer import SimpleXMLRPCServer

def is_even(n):
Expand Down

0 comments on commit 3260f13

Please sign in to comment.