Comment 11 for bug 918608

@Nikita: I certainly agree. The description must walk a thin line between blaming keystone for making reasonable assumptions about SQLAlchemy and ignoring Keystone vulnerability completely. In this case I'd say the vulnerability is in SQLAlchemy, and the lack of a parameter sanitization layer in Keystone made it worse.