From 6f4f5f747f0f278e3c0a5d4e9d1859523418c317 Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Thu, 17 Jan 2013 20:28:25 -0600
Subject: [PATCH] Ignore XML entities (bug 1100282)

Change-Id: Ie1969439c30e694af39d2b4e5e15e54e010f335c
---
 keystone/common/serializer.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py
index 734f7d1..72fe7f1 100644
--- a/keystone/common/serializer.py
+++ b/keystone/common/serializer.py
@@ -29,6 +29,16 @@ import re
 DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>'
 XMLNS = 'http://docs.openstack.org/identity/api/v2.0'
 
+PARSER = etree.XMLParser(
+    resolve_entities=False,
+    remove_comments=True,
+    remove_pis=True)
+
+# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an
+# lxml.etree._Entity instance, which doesn't appear to be part of the
+# public API, so we discover the type dynamically to be safe
+ENTITY_TYPE = type(etree.Entity('x'))
+
 
 def from_xml(xml):
     """Deserialize XML to a dictionary."""
@@ -51,7 +61,7 @@ def to_xml(d, xmlns=None):
 class XmlDeserializer(object):
     def __call__(self, xml_str):
         """Returns a dictionary populated by decoding the given xml string."""
-        dom = etree.fromstring(xml_str.strip())
+        dom = etree.fromstring(xml_str.strip(), PARSER)
         return self.walk_element(dom)
 
     @staticmethod
@@ -87,7 +97,8 @@ class XmlDeserializer(object):
         # current spec does not have attributes on an element with text
         values = values or text or {}
 
-        for child in [self.walk_element(x) for x in element]:
+        for child in [self.walk_element(x) for x in element
+                      if not isinstance(x, ENTITY_TYPE)]:
             values = dict(values.items() + child.items())
 
         return {XmlDeserializer._tag_name(element.tag): values}
-- 
1.8.0