Disable loading of external XML entities in BotoServerErrors

2 files changed, 13 insertions, 2 deletions

diff --git a/boto/exception.py b/boto/exception.py
index ebfd982e..9beee960 100644
--- a/boto/exception.py
+++ b/boto/exception.py
@@ -83,8 +83,8 @@ class BotoServerError(StandardError):
         # then just ignore the error response.
         if self.body:
             try:
-                h = handler.XmlHandler(self, self)
-                xml.sax.parseString(self.body, h)
+                h = handler.XmlHandlerWrapper(self, self)
+                h.parseString(self.body)
             except (TypeError, xml.sax.SAXParseException), pe:
                 # Remove unparsable message body so we don't include garbage
                 # in exception. But first, save self.body in self.error_message
diff --git a/boto/handler.py b/boto/handler.py
index 8f37dff1..bf90019d 100644
--- a/boto/handler.py
+++ b/boto/handler.py
@@ -19,6 +19,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 # IN THE SOFTWARE.
 
+import StringIO
 import xml.sax
 
 class XmlHandler(xml.sax.ContentHandler):
@@ -42,3 +43,13 @@ class XmlHandler(xml.sax.ContentHandler):
 
     def characters(self, content):
         self.current_text += content
+
+class XmlHandlerWrapper(object):
+    def __init__(self, root_node, connection):
+        self.handler = XmlHandler(root_node, connection)
+        self.parser = xml.sax.make_parser()
+        self.parser.setContentHandler(self.handler)
+        self.parser.setFeature(xml.sax.handler.feature_external_ges, 0)
+    
+    def parseString(self, content):
+        return self.parser.parse(StringIO.StringIO(content))