diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2013-02-19 09:00:40 -0600 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2013-02-19 09:00:40 -0600 |
commit | 2afe8e46893ca27ea9d61f29419d0ec23a6d8db3 (patch) | |
tree | 3afc951d27ce4f7f1e9cce770d3cf91bdacccc59 /keystone/common | |
parent | 9ec12e2e54e3cca84fda0fcc63a849eebcaafe96 (diff) | |
download | keystone-2afe8e46893ca27ea9d61f29419d0ec23a6d8db3.tar.gz keystone-2afe8e46893ca27ea9d61f29419d0ec23a6d8db3.tar.xz keystone-2afe8e46893ca27ea9d61f29419d0ec23a6d8db3.zip |
Disable XML entity parsing
Fixes bug 1100282 and bug 1100279.
Change-Id: I6a7c9e7110e1c7890205d6e4550ab46295c68906
Diffstat (limited to 'keystone/common')
-rw-r--r-- | keystone/common/serializer.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py index ddefa559..2a33ee70 100644 --- a/keystone/common/serializer.py +++ b/keystone/common/serializer.py @@ -38,6 +38,16 @@ XMLNS_LIST = [ }, ] +PARSER = etree.XMLParser( + resolve_entities=False, + remove_comments=True, + remove_pis=True) + +# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an +# lxml.etree._Entity instance, which doesn't appear to be part of the +# public API, so we discover the type dynamically to be safe +ENTITY_TYPE = type(etree.Entity('x')) + def from_xml(xml): """Deserialize XML to a dictionary.""" @@ -60,7 +70,7 @@ def to_xml(d, xmlns=None): class XmlDeserializer(object): def __call__(self, xml_str): """Returns a dictionary populated by decoding the given xml string.""" - dom = etree.fromstring(xml_str.strip()) + dom = etree.fromstring(xml_str.strip(), PARSER) return self.walk_element(dom, True) @staticmethod @@ -111,7 +121,8 @@ class XmlDeserializer(object): # current spec does not have attributes on an element with text values = values or text or {} - for child in [self.walk_element(x) for x in element]: + for child in [self.walk_element(x) for x in element + if not isinstance(x, ENTITY_TYPE)]: values = dict(values.items() + child.items()) return {XmlDeserializer._tag_name(element.tag, namespace): values} |