[Openstack-security] [Bug 1534284] Re: keystoneclient should not use etree XML parsing
Morgan Fainberg
morgan.fainberg at gmail.com
Wed Mar 2 20:57:18 UTC 2016
Marking this as "wont fix" against KSC as it shouldn't be needed long
term (Session, AuthPlugins, and CLI are all being removed soon/are
deprecated)
** Changed in: python-keystoneclient
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534284
Title:
keystoneclient should not use etree XML parsing
Status in keystoneauth:
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in python-keystoneclient:
Won't Fix
Bug description:
XML parsing is surprisingly difficult and fraught with danger, for
example entity expansion makes it easy to cause a lot of memory to be
used and therefore crash your system. keystoneclient is using etree
parsing which has these potential issues, although in the case of
keystoneclient it's the response from the IdP which I think is
generally trusted.
This is in python-
keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks
and should therefore be used instead if possible -
https://pypi.python.org/pypi/defusedxml - the docs for this page also
include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about
it some more before it goes public, even though it's probably not
something that needs an issue since I think the source is generally
trusted. If you can't trust your IdP then who can you trust?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1534284/+subscriptions
More information about the Openstack-security
mailing list