Merge "s3api: Prevent XXE injections" into stable/ussuristable/ussuri

author: Zuul <zuul@review.opendev.org> 2023-01-25 20:08:52 +0000
committer: Gerrit Code Review <review@openstack.org> 2023-01-25 20:08:52 +0000
commit: 1721d8586c53609f75070e10e21de9fcf262c0bc (patch)
tree: fe209aa998f5d236498abd915e1c2d379bb5e045 /swift/common/middleware/s3api/etree.py
parent: 54e6afc9a98aa772a995befd29bc34908a5ea8cc (diff)
parent: baa98848451b5c234443a068691e12841a5a8383 (diff)
download: swift-1721d8586c53609f75070e10e21de9fcf262c0bc.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/swift/common/middleware/s3api/etree.py b/swift/common/middleware/s3api/etree.py
index 29adbc38e..49be30810 100644
--- a/swift/common/middleware/s3api/etree.py
+++ b/swift/common/middleware/s3api/etree.py
@@ -130,7 +130,7 @@ class _Element(lxml.etree.ElementBase):
 
 
 parser_lookup = lxml.etree.ElementDefaultClassLookup(element=_Element)
-parser = lxml.etree.XMLParser()
+parser = lxml.etree.XMLParser(resolve_entities=False, no_network=True)
 parser.set_element_class_lookup(parser_lookup)
 
 Element = parser.makeelement
author	Zuul <zuul@review.opendev.org>	2023-01-25 20:08:52 +0000
committer	Gerrit Code Review <review@openstack.org>	2023-01-25 20:08:52 +0000
commit	1721d8586c53609f75070e10e21de9fcf262c0bc (patch)
tree	fe209aa998f5d236498abd915e1c2d379bb5e045 /swift/common/middleware/s3api/etree.py
parent	54e6afc9a98aa772a995befd29bc34908a5ea8cc (diff)
parent	baa98848451b5c234443a068691e12841a5a8383 (diff)
download	swift-1721d8586c53609f75070e10e21de9fcf262c0bc.tar.gz