Skip to content

Commit

Permalink
Disable XML entity parsing
Browse files Browse the repository at this point in the history 
Fixes bug 1100282 and bug 1100279.

Change-Id: Idd3989356dfededc3d863770f0ca1661c1d45782
  • Loading branch information
@dolph
dolph committed Feb 19, 2013
1 parent e49390e commit 8945567
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions keystone/common/serializer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,16 @@
DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>'
XMLNS = 'http://docs.openstack.org/identity/api/v2.0'

PARSER = etree.XMLParser(
resolve_entities=False,
remove_comments=True,
remove_pis=True)

# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an
# lxml.etree._Entity instance, which doesn't appear to be part of the
# public API, so we discover the type dynamically to be safe
ENTITY_TYPE = type(etree.Entity('x'))


def from_xml(xml):
"""Deserialize XML to a dictionary."""
Expand All @@ -51,7 +61,7 @@ def to_xml(d, xmlns=None):
class XmlDeserializer(object):
def __call__(self, xml_str):
"""Returns a dictionary populated by decoding the given xml string."""
dom = etree.fromstring(xml_str.strip())
dom = etree.fromstring(xml_str.strip(), PARSER)
return self.walk_element(dom)

@staticmethod
Expand Down Expand Up @@ -87,7 +97,8 @@ def walk_element(self, element):
# current spec does not have attributes on an element with text
values = values or text or {}

for child in [self.walk_element(x) for x in element]:
for child in [self.walk_element(x) for x in element
if not isinstance(x, ENTITY_TYPE)]:
values = dict(values.items() + child.items())

return {XmlDeserializer._tag_name(element.tag): values}
Expand Down

0 comments on commit 8945567

Please sign in to comment.