diff options
| author | Davanum Srinivas <dims@linux.vnet.ibm.com> | 2013-02-20 11:06:21 -0500 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-26 16:08:15 +0000 |
| commit | 14df42b15fabc70472bb23264cf73acf4bfbe83d (patch) | |
| tree | 28e3f4cd9498a9720fa3ab91a891be5553526edb /nova/utils.py | |
| parent | 2e771b103276884b18f9d3326279a29c1aba1919 (diff) | |
| download | nova-14df42b15fabc70472bb23264cf73acf4bfbe83d.tar.gz nova-14df42b15fabc70472bb23264cf73acf4bfbe83d.tar.xz nova-14df42b15fabc70472bb23264cf73acf4bfbe83d.zip | |
Additional tests for safe parsing with minidom
For nova, forbid_dtd is going to be true always, however
if someone picks up this code and tries forbid_dtd = False
then the existing code is not good enough. we need to protect
against external entities/dtd and not allow notations as well.
Added a few more handlers and test cases to cover that use
case.
Change-Id: If50f690e015f2bf837b403edf552e35d7af8c907
Diffstat (limited to 'nova/utils.py')
| -rw-r--r-- | nova/utils.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/nova/utils.py b/nova/utils.py index 2c7d0b427..764fa9070 100644 --- a/nova/utils.py +++ b/nova/utils.py @@ -672,19 +672,33 @@ class ProtectedExpatParser(expatreader.ExpatParser): def entity_decl(self, entityName, is_parameter_entity, value, base, systemId, publicId, notationName): - raise ValueError("<!ENTITY> forbidden") + raise ValueError("<!ENTITY> entity declaration forbidden") def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name): # expat 1.2 - raise ValueError("<!ENTITY> forbidden") + raise ValueError("<!ENTITY> unparsed entity forbidden") + + def external_entity_ref(self, context, base, systemId, publicId): + raise ValueError("<!ENTITY> external entity forbidden") + + def notation_decl(self, name, base, sysid, pubid): + raise ValueError("<!ENTITY> notation forbidden") def reset(self): expatreader.ExpatParser.reset(self) if self.forbid_dtd: self._parser.StartDoctypeDeclHandler = self.start_doctype_decl + self._parser.EndDoctypeDeclHandler = None if self.forbid_entities: self._parser.EntityDeclHandler = self.entity_decl self._parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl + self._parser.ExternalEntityRefHandler = self.external_entity_ref + self._parser.NotationDeclHandler = self.notation_decl + try: + self._parser.SkippedEntityHandler = None + except AttributeError: + # some pyexpat versions do not support SkippedEntity + pass def safe_minidom_parse_string(xml_string): |