[Openstack-security] [Bug 1534284] Re: keystoneauth auth plugins should not use etree XML parsing
OpenStack Infra
1534284 at bugs.launchpad.net
Mon Apr 16 17:27:29 UTC 2018
** Changed in: keystoneauth
Assignee: Kairat Kushaev (kkushaev) => Pavlo Shchelokovskyy (pshchelo)
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534284
Title:
keystoneauth auth plugins should not use etree XML parsing
Status in keystoneauth:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Status in python-keystoneclient:
Won't Fix
Bug description:
XML parsing is surprisingly difficult and fraught with danger, for
example entity expansion makes it easy to cause a lot of memory to be
used and therefore crash your system. keystoneclient is using etree
parsing which has these potential issues, although in the case of
keystoneclient it's the response from the IdP which I think is
generally trusted.
This is in python-
keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks
and should therefore be used instead if possible -
https://pypi.python.org/pypi/defusedxml - the docs for this page also
include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about
it some more before it goes public, even though it's probably not
something that needs an issue since I think the source is generally
trusted. If you can't trust your IdP then who can you trust?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1534284/+subscriptions
More information about the Openstack-security
mailing list