From 41d733e77fd4835a55de82f288b88a2196db81c8 Mon Sep 17 00:00:00 2001 From: mathieui Date: Fri, 18 Mar 2022 23:58:37 +0100 Subject: Only defuse stdlib through an env var https://github.com/inducer/relate/issues/905 --- slixmpp/__init__.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/slixmpp/__init__.py b/slixmpp/__init__.py index 403c9299..a4796d78 100644 --- a/slixmpp/__init__.py +++ b/slixmpp/__init__.py @@ -4,14 +4,18 @@ # This file is part of Slixmpp. # See the file LICENSE for copying permission. import logging +from os import getenv logging.getLogger(__name__).addHandler(logging.NullHandler()) -# Use defusedxml if available -try: - import defusedxml - defusedxml.defuse_stdlib() -except ImportError: - pass +# Use defusedxml if wanted +# Since enabling it can have adverse consequences for the programs using +# slixmpp, do not enable it by default. +if getenv('SLIXMPP_ENABLE_DEFUSEDXML', default='false').lower() == 'true': + try: + import defusedxml + defusedxml.defuse_stdlib() + except ImportError: + pass from slixmpp.stanza import Message, Presence, Iq from slixmpp.jid import JID, InvalidJID -- cgit v1.2.3