Comment 16 for bug 1100282
Revision history for this message
| Dan Prince (dan-prince) wrote Re: DoS through XML entity expansion | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
ttx:
I tested this today with Nova using a similar XML request (lots of entity expansions) and cause the same exploit. Essentially the request took forever and pegged the CPU on the machine.
We are going to need a different fix in Nova though because minidom is actually the XML call we use there:
dom = minidom.
Both Cinder and Quantum will have similar issues due to the fact that they use minidom.parseString as well. So whatever we do to fix minidom in Nova should work there as well.
From what I can tell Glance is clean though.
----
I'm looking into a fix for the minidom issue... shall I post the patches into this ticket?