diff options
author | Pascal Hakim <pasc@redellipse.net> | 2013-02-20 07:46:14 -0500 |
---|---|---|
committer | Pascal Hakim <pasc@redellipse.net> | 2013-02-20 07:46:14 -0500 |
commit | e8d419b194e03feefb976c91c234f3e8d864ad3f (patch) | |
tree | 98081adf692a602222c2db763c4f2233f1456ffb | |
parent | 77ddebc2a31d745ed3a491e4c48c4bc4dc7c2a95 (diff) | |
download | boto-e8d419b194e03feefb976c91c234f3e8d864ad3f.tar.gz |
Disable loading of external XML entities in BotoServerErrors
-rw-r--r-- | boto/exception.py | 4 | ||||
-rw-r--r-- | boto/handler.py | 11 |
2 files changed, 13 insertions, 2 deletions
diff --git a/boto/exception.py b/boto/exception.py index ebfd982e..9beee960 100644 --- a/boto/exception.py +++ b/boto/exception.py @@ -83,8 +83,8 @@ class BotoServerError(StandardError): # then just ignore the error response. if self.body: try: - h = handler.XmlHandler(self, self) - xml.sax.parseString(self.body, h) + h = handler.XmlHandlerWrapper(self, self) + h.parseString(self.body) except (TypeError, xml.sax.SAXParseException), pe: # Remove unparsable message body so we don't include garbage # in exception. But first, save self.body in self.error_message diff --git a/boto/handler.py b/boto/handler.py index 8f37dff1..bf90019d 100644 --- a/boto/handler.py +++ b/boto/handler.py @@ -19,6 +19,7 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS # IN THE SOFTWARE. +import StringIO import xml.sax class XmlHandler(xml.sax.ContentHandler): @@ -42,3 +43,13 @@ class XmlHandler(xml.sax.ContentHandler): def characters(self, content): self.current_text += content + +class XmlHandlerWrapper(object): + def __init__(self, root_node, connection): + self.handler = XmlHandler(root_node, connection) + self.parser = xml.sax.make_parser() + self.parser.setContentHandler(self.handler) + self.parser.setFeature(xml.sax.handler.feature_external_ges, 0) + + def parseString(self, content): + return self.parser.parse(StringIO.StringIO(content)) |