diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 29a6832b54..99cba4a0e8 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -149,7 +149,14 @@ class XmlBodyMiddleware(wsgi.Middleware): incoming_xml = 'application/xml' in str(request.content_type) if incoming_xml and request.body: request.content_type = 'application/json' - request.body = jsonutils.dumps(serializer.from_xml(request.body)) + try: + request.body = jsonutils.dumps( + serializer.from_xml(request.body)) + except Exception: + LOG.exception('Serializer failed') + e = exception.ValidationError(attribute='valid XML', + target='request body') + return wsgi.render_exception(e) def process_response(self, request, response): """Transform the response from JSON to XML.""" diff --git a/tests/test_content_types.py b/tests/test_content_types.py index a5457ccbcd..844bc84161 100644 --- a/tests/test_content_types.py +++ b/tests/test_content_types.py @@ -868,3 +868,21 @@ class XmlTestCase(RestfulTestCase, CoreApiTests): for tenant in r.body.findall(self._tag('tenant')): self.assertValidTenant(tenant) self.assertIn(tenant.get('enabled'), ['true', 'false']) + + def test_authenticate_with_invalid_xml_in_password(self): + # public_request would auto escape the ampersand + r = self.request( + port=self._public_port(), + method='POST', + path='/v2.0/tokens', + headers={ + 'Content-Type': 'application/xml' + }, + body=""" + + + + + """, + expected_status=400)