diff options
| author | James Saryerwinnie <js@jamesls.com> | 2013-03-07 11:29:46 -0800 |
|---|---|---|
| committer | James Saryerwinnie <js@jamesls.com> | 2013-03-07 11:29:46 -0800 |
| commit | 1ad6e6b233e9cb021269ef3ce9f8a610587e50b9 (patch) | |
| tree | de94cf58e28fa9b3e69c9fab1ac2d7ddc1178836 | |
| parent | 5e6d0c673f10a4a93b7cdbb109ec7ada4e3e7d40 (diff) | |
| parent | 625930e6aceaf327c7b8874dfdaf1db13936a08d (diff) | |
| download | boto-1ad6e6b233e9cb021269ef3ce9f8a610587e50b9.tar.gz | |
Merge branch 'pasc-1322_disable_external_xml_entities' into develop
Closes #1342, fixes #1322
* pasc-1322_disable_external_xml_entities:
Remove trailing space
Added unit tests for remote entity loading in xml errors (re #1342)
Disable loading of external XML entities in BotoServerErrors
| -rw-r--r-- | boto/exception.py | 4 | ||||
| -rw-r--r-- | boto/handler.py | 12 | ||||
| -rw-r--r-- | tests/unit/test_exception.py | 14 |
3 files changed, 28 insertions, 2 deletions
diff --git a/boto/exception.py b/boto/exception.py index ebfd982e..9beee960 100644 --- a/boto/exception.py +++ b/boto/exception.py @@ -83,8 +83,8 @@ class BotoServerError(StandardError): # then just ignore the error response. if self.body: try: - h = handler.XmlHandler(self, self) - xml.sax.parseString(self.body, h) + h = handler.XmlHandlerWrapper(self, self) + h.parseString(self.body) except (TypeError, xml.sax.SAXParseException), pe: # Remove unparsable message body so we don't include garbage # in exception. But first, save self.body in self.error_message diff --git a/boto/handler.py b/boto/handler.py index 8f37dff1..df065cca 100644 --- a/boto/handler.py +++ b/boto/handler.py @@ -19,6 +19,7 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS # IN THE SOFTWARE. +import StringIO import xml.sax class XmlHandler(xml.sax.ContentHandler): @@ -42,3 +43,14 @@ class XmlHandler(xml.sax.ContentHandler): def characters(self, content): self.current_text += content + + +class XmlHandlerWrapper(object): + def __init__(self, root_node, connection): + self.handler = XmlHandler(root_node, connection) + self.parser = xml.sax.make_parser() + self.parser.setContentHandler(self.handler) + self.parser.setFeature(xml.sax.handler.feature_external_ges, 0) + + def parseString(self, content): + return self.parser.parse(StringIO.StringIO(content)) diff --git a/tests/unit/test_exception.py b/tests/unit/test_exception.py index 60124c0c..684ca0ce 100644 --- a/tests/unit/test_exception.py +++ b/tests/unit/test_exception.py @@ -2,6 +2,8 @@ from tests.unit import unittest from boto.exception import BotoServerError +from httpretty import HTTPretty, httprettified + class TestBotoServerError(unittest.TestCase): def test_botoservererror_basics(self): @@ -51,6 +53,18 @@ class TestBotoServerError(unittest.TestCase): self.assertEqual(bse.status, '403') self.assertEqual(bse.reason, 'Forbidden') + @httprettified + def test_xmlns_not_loaded(self): + xml = '<ErrorResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2011-11-15/">' + bse = BotoServerError('403', 'Forbidden', body=xml) + self.assertEqual([], HTTPretty.latest_requests) + + @httprettified + def test_xml_entity_not_loaded(self): + xml = '<!DOCTYPE Message [<!ENTITY xxe SYSTEM "http://aws.amazon.com/">]><Message>error:&xxe;</Message>' + bse = BotoServerError('403', 'Forbidden', body=xml) + self.assertEqual([], HTTPretty.latest_requests) + def test_message_not_xml(self): body = 'This is not XML' |