From 3fc71edcd488ed916c0a8327debd88dc3a7920eb Mon Sep 17 00:00:00 2001
From: Saad Yousaf <saad.yousaf@arbisoft.com>
Date: Wed, 11 Aug 2021 21:08:14 +0500
Subject: [PATCH] Merge pull request #28442 from
 edx/saad/backport-TNL-8593-celery-xxe-fix-lilac

fix: update lxml parser for celery tasks to be more secure
(cherry picked from commit 809ed347649f5164308ba1dec70935cb8d7ccaad)
---
 cms/celery.py | 6 +++++-
 lms/celery.py | 5 +++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/cms/celery.py b/cms/celery.py
index 293121bcf22a..88f38e5b1fb9 100644
--- a/cms/celery.py
+++ b/cms/celery.py
@@ -5,9 +5,13 @@
 Taken from: https://celery.readthedocs.org/en/latest/django/first-steps-with-django.html
 """
 
-
 import os
 
+# Patch the xml libs before anything else.
+from safe_lxml import defuse_xml_libs
+
+defuse_xml_libs()
+
 
 # Set the default Django settings module for the 'celery' program
 # and then instantiate the Celery singleton.
diff --git a/lms/celery.py b/lms/celery.py
index 808df030ef60..2ca97de3c62a 100644
--- a/lms/celery.py
+++ b/lms/celery.py
@@ -7,6 +7,11 @@
 
 import os
 
+# Patch the xml libs before anything else.
+from safe_lxml import defuse_xml_libs
+
+defuse_xml_libs()
+
 
 # Set the default Django settings module for the 'celery' program
 # and then instantiate the Celery singleton.