It may be possible for parsed feed data to override configuration that
is passed to plugins and other components. Normally, feedparser
doesn't send those settings (e.g. output or args) that could
potentially lead to remote code execution exploits. But there *is* one
setting that overlaps right now: "url". It can't do anything now,
because the URL is set *after* the feed is parsed, so it's harmless.
But who knows how feedparser may change in the future? As a security
precaution, we created a list of "locked" items that are important for
us and keep the feed from overriding that.
↧