using defusedxml ElementTree for safer parsing of untrusted XML data (h…

…ome-assistant#9934)

* using defusexml ElementTree for safer parsing of untrusted XML data

* move from core dependency to platform specific dependency

* style difference: put back end of list comma in setup.py

homeassistant/components/device_tracker/upc_connect.py

@@ -6,7 +6,6 @@
 """
 import asyncio
 import logging
-import xml.etree.ElementTree as ET
 
 import aiohttp
 import async_timeout
@@ -19,6 +18,8 @@
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
 
 
+REQUIREMENTS = ['defusedxml==0.5.0']
+
 _LOGGER = logging.getLogger(__name__)
 
 DEFAULT_IP = '192.168.0.1'
@@ -63,6 +64,8 @@ def __init__(self, hass, config):
     @asyncio.coroutine
     def async_scan_devices(self):
         """Scan for new devices and return a list with found device IDs."""
+        import defusedxml.ElementTree as ET
+
         if self.token is None:
             token_initialized = yield from self.async_initialize_token()
             if not token_initialized:

requirements_all.txt

@@ -177,6 +177,9 @@ datapoint==0.4.3
 # homeassistant.components.light.decora_wifi
 # decora_wifi==1.3
 
+# homeassistant.components.device_tracker.upc_connect
+defusedxml==0.5.0
+
 # homeassistant.components.media_player.denonavr
 denonavr==0.5.4
 

requirements_test_all.txt

@@ -36,6 +36,9 @@ aiohttp_cors==0.5.3
 # homeassistant.components.notify.apns
 apns2==0.1.1
 
+# homeassistant.components.device_tracker.upc_connect
+defusedxml==0.5.0
+
 # homeassistant.components.sensor.dsmr
 dsmr_parser==0.11
 

script/gen_requirements_all.py

@@ -37,6 +37,7 @@
     'aioautomatic',
     'aiohttp_cors',
     'apns2',
+    'defusedxml',
     'dsmr_parser',
     'ephem',
     'evohomeclient',