Comment 29 for bug 1100282
Revision history for this message
| Dan Prince (dan-prince) wrote Re: DoS through XML entity expansion | #29 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
@harlowja: Thanks for the info.
@ttx: I've had similar luck in trying to get minidom to stop parsing XML entities. Nothing obvious seems to work... What Josh posted in fix.py definately stops entity expansion. This approach definately falls into the "work around" category but given the lack of a better solution I'd say we go with it for now. If we get a better solution from the Python security team we can drop it in as a replacement too. I'm going to post some Nova patches which use this approach for Grizzly (above), Folsom, and Essex this afternoon.