commit 0b1f9fb37f21f8969bc3855bbaf70e8d25f355ef Author: Thierry Carrez Date: Thu Aug 1 15:54:13 2013 +0200 Remove unsafe XML parsing. Move to using xmlutils for all XML parsing. Resolves bug 1190229. Backport of Mikal's patch at 4534c514 Change-Id: I43afb2e188bbea99ea30fe6cb2eb1aeedc4ddfd4 diff --git a/nova/api/openstack/compute/contrib/security_group_default_rules.py b/nova/api/openstack/compute/contrib/security_group_default_rules.py index 751a4d4..3052c84 100644 --- a/nova/api/openstack/compute/contrib/security_group_default_rules.py +++ b/nova/api/openstack/compute/contrib/security_group_default_rules.py @@ -14,8 +14,6 @@ # License for the specific language governing permissions and limitations # under the License. -from xml.dom import minidom - import webob from webob import exc @@ -26,6 +24,7 @@ from nova.api.openstack import xmlutil from nova import exception from nova.network.security_group import openstack_driver from nova.openstack.common import log as logging +from nova.openstack.common import xmlutils LOG = logging.getLogger(__name__) @@ -73,7 +72,7 @@ class SecurityGroupDefaultRuleTemplate(xmlutil.TemplateBuilder): class SecurityGroupDefaultRulesXMLDeserializer(wsgi.MetadataXMLDeserializer): def default(self, string): - dom = minidom.parseString(string) + dom = xmlutils.safe_minidom_parse_string(string) security_group_rule = self._extract_security_group_default_rule(dom) return {'body': {'security_group_default_rule': security_group_rule}} diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py index f3d047c..3f3a225 100644 --- a/nova/api/openstack/compute/contrib/security_groups.py +++ b/nova/api/openstack/compute/contrib/security_groups.py @@ -19,7 +19,6 @@ import json import webob from webob import exc -from xml.dom import minidom from nova.api.openstack import common from nova.api.openstack import extensions @@ -30,6 +29,7 @@ from nova.compute import api as compute_api from nova import exception from nova.network.security_group import openstack_driver from nova.network.security_group import quantum_driver +from nova.openstack.common import xmlutils from nova.openstack.common import log as logging from nova.virt import netutils @@ -500,7 +500,7 @@ class SecurityGroupsOutputController(wsgi.Controller): servers[0][key] = req_obj['server'].get( key, [{'name': 'default'}]) except ValueError: - root = minidom.parseString(req.body) + root = xmlutils.safe_minidom_parse_string(req.body) sg_root = root.getElementsByTagName(key) groups = [] if sg_root: diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py index 54fa7bf..0705c8a 100755 --- a/nova/virt/libvirt/driver.py +++ b/nova/virt/libvirt/driver.py @@ -59,7 +59,6 @@ from eventlet import tpool from eventlet import util as eventlet_util from lxml import etree from oslo.config import cfg -from xml.dom import minidom from nova.api.metadata import base as instance_metadata from nova import block_device @@ -76,6 +75,7 @@ from nova.openstack.common import importutils from nova.openstack.common import jsonutils from nova.openstack.common import log as logging from nova.openstack.common.notifier import api as notifier +from nova.openstack.common import xmlutils from nova import utils from nova import version from nova.virt import configdrive @@ -1626,8 +1626,7 @@ class LibvirtDriver(driver.ComputeDriver): def get_vnc_port_for_instance(instance_name): virt_dom = self._lookup_by_name(instance_name) xml = virt_dom.XMLDesc(0) - # TODO(sleepsonthefloor): use etree instead of minidom - dom = minidom.parseString(xml) + dom = xmlutils.safe_minidom_parse_string(xml) for graphic in dom.getElementsByTagName('graphics'): if graphic.getAttribute('type') == 'vnc': @@ -1644,7 +1643,7 @@ class LibvirtDriver(driver.ComputeDriver): virt_dom = self._lookup_by_name(instance_name) xml = virt_dom.XMLDesc(0) # TODO(sleepsonthefloor): use etree instead of minidom - dom = minidom.parseString(xml) + dom = xmlutils.safe_minidom_parse_string(xml) for graphic in dom.getElementsByTagName('graphics'): if graphic.getAttribute('type') == 'spice': diff --git a/nova/virt/xenapi/vm_utils.py b/nova/virt/xenapi/vm_utils.py index 26bd9d2..0991e13 100644 --- a/nova/virt/xenapi/vm_utils.py +++ b/nova/virt/xenapi/vm_utils.py @@ -29,7 +29,6 @@ import time import urllib import urlparse import uuid -from xml.dom import minidom from xml.parsers import expat from eventlet import greenthread @@ -44,6 +43,7 @@ from nova import exception from nova.image import glance from nova.openstack.common import excutils from nova.openstack.common import log as logging +from nova.openstack.common import xmlutils from nova import utils from nova.virt import configdrive from nova.virt.disk import api as disk @@ -1437,7 +1437,7 @@ def compile_diagnostics(record): vm_uuid = record["uuid"] xml = _get_rrd(_get_rrd_server(), vm_uuid) if xml: - rrd = minidom.parseString(xml) + rrd = xmlutils.safe_minidom_parse_string(xml) for i, node in enumerate(rrd.firstChild.childNodes): # Provide the last update of the information if node.localName == 'lastupdate': diff --git a/openstack-common.conf b/openstack-common.conf index a2688fa..fc7933d 100644 --- a/openstack-common.conf +++ b/openstack-common.conf @@ -1,7 +1,7 @@ [DEFAULT] # The list of modules to copy from openstack-common -modules=cliutils,context,db,excutils,eventlet_backdoor,fileutils,gettextutils,importutils,jsonutils,local,lockutils,log,network_utils,notifier,plugin,policy,rootwrap,setup,timeutils,rpc,uuidutils,install_venv_common,flakes,version,processutils +modules=cliutils,context,db,excutils,eventlet_backdoor,fileutils,gettextutils,importutils,jsonutils,local,lockutils,log,network_utils,notifier,plugin,policy,rootwrap,setup,timeutils,rpc,uuidutils,install_venv_common,flakes,version,processutils,xmlutils # The base module to hold the copy of openstack.common base=nova