@ttx: I've had similar luck in trying to get minidom to stop parsing XML entities. Nothing obvious seems to work... What Josh posted in fix.py definately stops entity expansion. This approach definately falls into the "work around" category but given the lack of a better solution I'd say we go with it for now. If we get a better solution from the Python security team we can drop it in as a replacement too. I'm going to post some Nova patches which use this approach for Grizzly (above), Folsom, and Essex this afternoon.
@harlowja: Thanks for the info.
@ttx: I've had similar luck in trying to get minidom to stop parsing XML entities. Nothing obvious seems to work... What Josh posted in fix.py definately stops entity expansion. This approach definately falls into the "work around" category but given the lack of a better solution I'd say we go with it for now. If we get a better solution from the Python security team we can drop it in as a replacement too. I'm going to post some Nova patches which use this approach for Grizzly (above), Folsom, and Essex this afternoon.