[Openstack-security] [Bug 1534284] Re: keystoneauth auth plugins should not use etree XML parsing
** Changed in: keystoneauth
Assignee: Kairat Kushaev (kkushaev) => Pavlo Shchelokovskyy (pshchelo)
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
keystoneauth auth plugins should not use etree XML parsing
Status in keystoneauth:
Status in OpenStack Security Advisory:
Status in python-keystoneclient:
XML parsing is surprisingly difficult and fraught with danger, for
example entity expansion makes it easy to cause a lot of memory to be
used and therefore crash your system. keystoneclient is using etree
parsing which has these potential issues, although in the case of
keystoneclient it's the response from the IdP which I think is
This is in python-
There's a defusedxml parser that has protections against these attacks
and should therefore be used instead if possible -
https://pypi.python.org/pypi/defusedxml - the docs for this page also
include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about
it some more before it goes public, even though it's probably not
something that needs an issue since I think the source is generally
trusted. If you can't trust your IdP then who can you trust?
To manage notifications about this bug go to: