SAAS-1132: Improve safety of XML parsing for listener stats

python_apps/pypo/pypo/listenerstat.py

@@ -1,6 +1,6 @@
 from threading import Thread
 import urllib2
-import xml.dom.minidom
+import defusedxml.minidom
 import base64
 from datetime import datetime
 import traceback
@@ -64,7 +64,7 @@ class ListenerStat(Thread):
         else:
             url = 'http://%(host)s:%(port)s/admin/stats.xml' % ip
             document = self.get_stream_server_xml(ip, url)
-        dom = xml.dom.minidom.parseString(document)
+        dom = defusedxml.minidom.parseString(document)
         sources = dom.getElementsByTagName("source")
 
         mount_stats = None
@@ -87,7 +87,7 @@ class ListenerStat(Thread):
     def get_shoutcast_stats(self, ip):
         url = 'http://%(host)s:%(port)s/admin.cgi?sid=1&mode=viewxml' % ip
         document = self.get_stream_server_xml(ip, url, is_shoutcast=True)
-        dom = xml.dom.minidom.parseString(document)
+        dom = defusedxml.parseString(document)
         current_listeners = dom.getElementsByTagName("CURRENTLISTENERS")
 
         timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")

python_apps/pypo/setup.py

@@ -58,7 +58,8 @@ setup(name='airtime-playout',
           'pyinotify',
           'pytz',
           'requests',
-          'wsgiref'
+          'wsgiref',
+          'defusedxml'
       ],
       zip_safe=False,
       data_files=data_files)