From bcd78bf61eebb127f4f7ca63141eb854f14ba05d Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Thu, 17 Jan 2013 18:57:42 -0600 Subject: [PATCH] Ignore XML entities (bug 1100282) Change-Id: I734d702527e981bd29b6017c1ed5022d42a54b93 --- keystone/common/serializer.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py index ddefa55..2a33ee7 100644 --- a/keystone/common/serializer.py +++ b/keystone/common/serializer.py @@ -38,6 +38,16 @@ XMLNS_LIST = [ }, ] +PARSER = etree.XMLParser( + resolve_entities=False, + remove_comments=True, + remove_pis=True) + +# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an +# lxml.etree._Entity instance, which doesn't appear to be part of the +# public API, so we discover the type dynamically to be safe +ENTITY_TYPE = type(etree.Entity('x')) + def from_xml(xml): """Deserialize XML to a dictionary.""" @@ -60,7 +70,7 @@ def to_xml(d, xmlns=None): class XmlDeserializer(object): def __call__(self, xml_str): """Returns a dictionary populated by decoding the given xml string.""" - dom = etree.fromstring(xml_str.strip()) + dom = etree.fromstring(xml_str.strip(), PARSER) return self.walk_element(dom, True) @staticmethod @@ -111,7 +121,8 @@ class XmlDeserializer(object): # current spec does not have attributes on an element with text values = values or text or {} - for child in [self.walk_element(x) for x in element]: + for child in [self.walk_element(x) for x in element + if not isinstance(x, ENTITY_TYPE)]: values = dict(values.items() + child.items()) return {XmlDeserializer._tag_name(element.tag, namespace): values} -- 1.8.0