Comment 53 for bug 1100282
Revision history for this message
| Christian Heimes (heimes) wrote Re: DoS through XML entity expansion | #53 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
4d1350f
(Get the code!)
LXML still suggests a parser pool for threaded applications.
http://
To avoid interfering with other modules, however, it is usually a better idea to use a dedicated parser for each module (or a parser pool when using threads) and then register the required lookup scheme only for this parser.
Here is some example code from our code at work. We are using a custom Element class and thread local storage for parser instances.
import threading
from lxml import etree
class RestrictedEleme
__slots__ = ()
# blacklist = (etree._Element, etree._
blacklist = etree._Element
def __iter__(self):
blacklist = self.blacklist
for child in super(Restricte
if isinstance(child, blacklist):
yield child
def iterchildren(self, tag=None, reversed=False):
blacklist = self.blacklist
children = super(Restricte
for child in children:
if isinstance(child, blacklist):
yield child
# you may need to overwrite getchildren, find, findall and more if you use them
class ParserTLS(
parser_cfg = {
}
@property
def parser(self):
parser = getattr(self, "_parser", None)
if parser is None:
parser = etree.XMLParser
lookup = etree.ElementDe
return parser
if __name__ == "__main__":
tls = ParserTLS()
tree = etree.parse(
print tree.getroot().text
print list(tree.
@Thierry:
I'll ask on the PSRT list. My patch for expat won't be ready until Wednesday but we can release the restricted expat parsers classes for etree, sax and minidom as hotfixes. I'm waiting for some code review now. I also need to get back to the libxml2 guys ASAP.