Comment 3 for bug 1625402

Here's an unhelpful comment. The OVA extraction task is extremely brittle and subject to several known attack vectors, as stated on the spec, which is a public document:

http://specs.openstack.org/openstack/glance-specs/specs/mitaka/implemented/ovf-lite.html#security-impact

The OVA extraction task should only be used by administrators and trusted users.

The xml-entity-expansion attack isn't mentioned in the spec, though.