Replaces some etree.tostring calls, that were introduced recfently, by the sanitized call provided by defusedxml . Release 2.2.3

pitbulk · pitbulk · commit 079971940928 · 2017-06-15T20:00:15.000+02:00
diff --git a/README.md b/README.md
@@ -14,6 +14,8 @@ Python3: [python3-saml](https://github.com/onelogin/python3-saml).
 
 #### Warning ####
 
+Update python-saml to 2.2.3, this version replaces some etree.tostring calls, that were introduced recfently,  by the sanitized call provided by defusedxml
+
 Update python-saml to 2.2.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks. [CVE-2016-1000252](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000252/CVE-2016-1000252.json)
 
 python-saml < v2.2.0 is vulnerable and allows signature wrapping!
diff --git a/changelog.md b/changelog.md
@@ -1,4 +1,8 @@
 # python-saml changelog
+### 2.2.3 (Jun 15, 2017)
+* Replace some etree.tostring calls, that were introduced recfently,  by the sanitized call provided by defusedxml
+* Update dm.xmlsec.binding requirement to 1.3.3 version
+
 ### 2.2.2 (May 18, 2017)
 * Be able to relax SSL Certificate verification when retrieving idp metadata
 * [#195](https://github.com/onelogin/python-saml/pull/195) Be able to register future SP x509cert on the settings and publish it on SP metadata
diff --git a/setup.py b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python-saml',
-    version='2.2.2',
+    version='2.2.3',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
@@ -13,7 +13,7 @@
 
 from base64 import b64encode
 from urllib import quote_plus
-from lxml import etree
+from defusedxml.lxml import tostring
 
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.response import OneLogin_Saml2_Response
@@ -486,7 +486,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
             if isinstance(self.__last_response, basestring):
                 response = self.__last_response
             else:
-                response = etree.tostring(self.__last_response, pretty_print=pretty_print_if_possible)
+                response = tostring(self.__last_response, pretty_print=pretty_print_if_possible)
         return response
 
     def get_last_request_xml(self):
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -11,8 +11,7 @@
 
 from base64 import b64decode
 from copy import deepcopy
-from lxml import etree
-from defusedxml.lxml import fromstring
+from defusedxml.lxml import tostring, fromstring
 from xml.dom.minidom import Document
 
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
@@ -107,7 +106,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             if self.__settings.is_strict():
                 no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd'
                 res = OneLogin_Saml2_Utils.validate_xml(
-                    etree.tostring(self.document),
+                    tostring(self.document),
                     'saml-schema-protocol-2.0.xsd',
                     self.__settings.is_debug_active()
                 )
@@ -120,7 +119,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # If encrypted, check also the decrypted document
                 if self.encrypted:
                     res = OneLogin_Saml2_Utils.validate_xml(
-                        etree.tostring(self.decrypted_document),
+                        tostring(self.decrypted_document),
                         'saml-schema-protocol-2.0.xsd',
                         self.__settings.is_debug_active()
                     )
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -153,7 +153,7 @@ def validate_xml(xml, schema, debug=False):
 
             return 'invalid_xml'
 
-        return parseString(etree.tostring(dom, encoding='unicode').encode('utf-8'))
+        return parseString(tostring(dom, encoding='unicode').encode('utf-8'))
 
     @staticmethod
     def format_cert(cert, heads=True):
@@ -680,7 +680,7 @@ def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False, nq=None):
 
             edata = enc_ctx.encryptXml(enc_data, elem[0])
 
-            newdoc = parseString(etree.tostring(edata, encoding='unicode').encode('utf-8'))
+            newdoc = parseString(tostring(edata, encoding='unicode').encode('utf-8'))
 
             if newdoc.hasChildNodes():
                 child = newdoc.firstChild
@@ -897,7 +897,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
         dsig_ctx.signKey = sign_key
         dsig_ctx.sign(signature)
 
-        newdoc = parseString(etree.tostring(elem, encoding='unicode').encode('utf-8'))
+        newdoc = parseString(tostring(elem, encoding='unicode').encode('utf-8'))
 
         signature_nodes = newdoc.getElementsByTagName("Signature")
 
