let the XML parser fail gracefully on malformed XML

44b56ed0 · Can Yavuz · 66eabe8b · 44b56ed0 · 44b56ed0
Commit 44b56ed0 authored Feb 22, 2012 by Can Yavuz
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletions

djangorestframework/compat.py
+6 -0

djangorestframework/parsers.py
+7 -1

No files found.
--- a/djangorestframework/compat.py
+++ b/djangorestframework/compat.py
@@ -465,3 +465,9 @@ except:
    from django.core.urlresolvers import reverse
    from django.utils.functional import lazy
    reverse_lazy = lazy(reverse, str)
+# xml.etree.parse only throws ParseError for python >= 2.7
+try:
+    from xml.etree import ParseError as ETParseError
+except ImportError: # python < 2.7
+    ETParseError = None
--- a/djangorestframework/parsers.py
+++ b/djangorestframework/parsers.py
@@ -20,6 +20,8 @@ from djangorestframework.compat import yaml
 from djangorestframework.response import ErrorResponse
 from djangorestframework.utils.mediatypes import media_type_matches
 from xml.etree import ElementTree as ET
+from djangorestframework.compat import ETParseError
+from xml.parsers.expat import ExpatError
 import datetime
 import decimal
@@ -185,7 +187,11 @@ class XMLParser(BaseParser):
        `data` will simply be a string representing the body of the request.
        `files` will always be `None`.
        """
-        tree = ET.parse(stream)
+        try:
+          tree = ET.parse(stream)
+        except (ExpatError, ETParseError, ValueError), exc:
+          content = {'detail': 'XML parse error - %s' % unicode(exc)}
+          raise ErrorResponse(status.HTTP_400_BAD_REQUEST, content)
        data = self._xml_convert(tree.getroot())
        return (data, None)