Fix XXE in XRDS parsing

author: Vlastimil Zíma <vlastimil.zima@nic.cz> 2018-03-08 13:57:53 +0100
committer: Vlastimil Zíma <vlastimil.zima@nic.cz> 2018-03-08 14:09:58 +0100
commit: 66b9f3a05a115d63aa268279cce574699bd603c8 (patch)
tree: ca40678048dffe8084fc65d04009ff5ec47cd68a /openid/yadis
parent: 43ae31f042929b00484361ce9c8a828281525a66 (diff)
download: openid-66b9f3a05a115d63aa268279cce574699bd603c8.tar.gz
1 files changed, 5 insertions, 4 deletions
diff --git a/openid/yadis/etxrd.py b/openid/yadis/etxrd.py
index a536617..a96a107 100644
--- a/openid/yadis/etxrd.py
+++ b/openid/yadis/etxrd.py
@@ -22,7 +22,7 @@ import random
 from datetime import datetime
 from time import strptime
 
-from lxml import etree as ElementTree
+from lxml import etree
 
 from openid.yadis import xri
 
@@ -48,14 +48,15 @@ def parseXRDS(text):
     @raises XRDSError: When there is a parse error or the document does
         not contain an XRDS.
     """
+    parser = etree.XMLParser(resolve_entities=False)
     try:
-        element = ElementTree.XML(text)
-    except ElementTree.Error as why:
+        element = etree.XML(text, parser)
+    except etree.Error as why:
         exc = XRDSError('Error parsing document as XML')
         exc.reason = why
         raise exc
     else:
-        tree = ElementTree.ElementTree(element)
+        tree = etree.ElementTree(element)
         if not isXRDS(tree):
             raise XRDSError('Not an XRDS document')
author	Vlastimil Zíma <vlastimil.zima@nic.cz>	2018-03-08 13:57:53 +0100
committer	Vlastimil Zíma <vlastimil.zima@nic.cz>	2018-03-08 14:09:58 +0100
commit	66b9f3a05a115d63aa268279cce574699bd603c8 (patch)
tree	ca40678048dffe8084fc65d04009ff5ec47cd68a /openid/yadis
parent	43ae31f042929b00484361ce9c8a828281525a66 (diff)
download	openid-66b9f3a05a115d63aa268279cce574699bd603c8.tar.gz