Further security fixes

dmptrluke · dmptrluke · commit 8aa367f0872d · 2015-02-23T12:04:29.000+13:00
diff --git a/cloudbot/util/http.py b/cloudbot/util/http.py
@@ -18,6 +18,9 @@
 # noinspection PyUnresolvedReferences
 from urllib.error import URLError, HTTPError
 
+# security
+parser = etree.XMLParser(resolve_entities=False, no_network=True)
+
 ua_cloudbot = 'Cloudbot/DEV http://github.com/CloudDev/CloudBot'
 
 ua_firefox = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0' \
@@ -52,7 +55,7 @@ def get_soup(*args, **kwargs):
 
 def get_xml(*args, **kwargs):
     kwargs["decode"] = False  # we don't want to decode, for etree
-    return etree.fromstring(get(*args, **kwargs))
+    return etree.fromstring(get(*args, **kwargs), parser=parser)
 
 
 def get_json(*args, **kwargs):
diff --git a/plugins/steam_user.py b/plugins/steam_user.py
@@ -4,6 +4,8 @@
 from cloudbot import hook
 from cloudbot.util import formatting
 
+# security
+parser = etree.XMLParser(resolve_entities=False, no_network=True)
 
 API_URL = "http://steamcommunity.com/id/{}/"
 ID_BASE = 76561197960265728
@@ -64,7 +66,7 @@ def get_data(user):
     except (requests.exceptions.HTTPError, requests.exceptions.ConnectionError) as e:
         raise SteamError("Could not get user info: {}".format(e))
 
-    profile = etree.fromstring(request.content)
+    profile = etree.fromstring(request.content, parser=parser)
 
     try:
         data["name"] = profile.find('steamID').text
diff --git a/plugins/tvdb.py b/plugins/tvdb.py
@@ -5,6 +5,9 @@
 
 from cloudbot import hook
 
+# security
+parser = etree.XMLParser(resolve_entities=False, no_network=True)
+
 base_url = "http://thetvdb.com/api/"
 
 
@@ -20,7 +23,7 @@ def get_episodes_for_series(series_name, api_key):
         res["error"] = "error contacting thetvdb.com"
         return res
 
-    query = etree.fromstring(request.content)
+    query = etree.fromstring(request.content, parser=parser)
     series_id = query.xpath('//seriesid/text()')
 
     if not series_id:
@@ -36,7 +39,7 @@ def get_episodes_for_series(series_name, api_key):
         res["error"] = "error contacting thetvdb.com"
         return res
 
-    series = etree.fromstring(_request.content)
+    series = etree.fromstring(_request.content, parser=parser)
     series_name = series.xpath('//SeriesName/text()')[0]
 
     if series.xpath('//Status/text()')[0] == 'Ended':
diff --git a/plugins/wikipedia.py b/plugins/wikipedia.py
@@ -8,6 +8,9 @@
 from cloudbot import hook
 from cloudbot.util import formatting
 
+# security
+parser = etree.XMLParser(resolve_entities=False, no_network=True)
+
 api_prefix = "http://en.wikipedia.org/w/api.php"
 search_url = api_prefix + "?action=opensearch&format=xml"
 random_url = api_prefix + "?action=query&format=xml&list=random&rnlimit=1&rnnamespace=0"
@@ -24,7 +27,7 @@ def wiki(text):
         request.raise_for_status()
     except (requests.exceptions.HTTPError, requests.exceptions.ConnectionError) as e:
         return "Could not get Wikipedia page: {}".format(e)
-    x = etree.fromstring(request.text)
+    x = etree.fromstring(request.text, parser=parser)
 
     ns = '{http://opensearch.org/searchsuggest2}'
     items = x.findall(ns + 'Section/' + ns + 'Item')
diff --git a/plugins/wolframalpha.py b/plugins/wolframalpha.py
@@ -7,6 +7,8 @@
 from cloudbot import hook
 from cloudbot.util import web, formatting
 
+# security
+parser = etree.XMLParser(resolve_entities=False, no_network=True)
 
 api_url = 'http://api.wolframalpha.com/v2/query'
 query_url = 'http://www.wolframalpha.com/input/?i={}'
@@ -28,7 +30,7 @@ def wolframalpha(text, bot):
     if request.status_code != requests.codes.ok:
         return "Error getting query: {}".format(request.status_code)
 
-    result = etree.fromstring(request.content)
+    result = etree.fromstring(request.content, parser=parser)
 
     # get the URL for a user to view this query in a browser
     short_url = web.try_shorten(query_url.format(urllib.parse.quote_plus(text)))
