openstack/nova
Code Issues Proposed changes

Escape ec2 XML error responses

Browse Source 
Fixes bug 978439

XML error responses to ec2 calls include user supplied data that is not
escaped. This could result in returning invalid XML.

This is addressed by using utils.xhtml_escape() on purposeful eC2 error
responses and when handling webob.exc.HTTPException.

Extended the tests for utils.xhtml_escape() to cover '&', '>', '<' and a tag
look-alike. These conversions are implicit to saxutils.escape().

Change-Id: Icb3e861c6c06c0d9c3b9e2ab1a658581a0fb39c6
This commit is contained in:
Andrew James 2012-08-30 17:15:35 -06:00
parent 0318efe625
commit f86b24935c
3 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nova/api/ec2/__init__.py
View File

@ -84,8 +84,9 @@ def ec2_error(req, request_id, code, message):
'<Response><Errors><Error><Code>%s</Code>'
'<Message>%s</Message></Error></Errors>'
'<RequestID>%s</RequestID></Response>' %
(utils.utf8(code), utils.utf8(message),
utils.utf8(request_id)))
(utils.xhtml_escape(utils.utf8(code)),
utils.xhtml_escape(utils.utf8(message)),
utils.xhtml_escape(utils.utf8(request_id))))
return resp

5
nova/api/ec2/faults.py
View File

@ -58,7 +58,8 @@ class Fault(webob.exc.HTTPException):
'<Response><Errors><Error><Code>%s</Code>'
'<Message>%s</Message></Error></Errors>'
'<RequestID>%s</RequestID></Response>' %
(utils.utf8(code), utils.utf8(message),
utils.utf8(ctxt.request_id)))
(utils.xhtml_escape(utils.utf8(code)),
utils.xhtml_escape(utils.utf8(message)),
utils.xhtml_escape(utils.utf8(ctxt.request_id))))
return resp

4
nova/tests/test_utils.py
View File

@ -460,6 +460,10 @@ class GenericUtilsTestCase(test.TestCase):
def test_xhtml_escape(self):
self.assertEqual('&quot;foo&quot;', utils.xhtml_escape('"foo"'))
self.assertEqual('&apos;foo&apos;', utils.xhtml_escape("'foo'"))
self.assertEqual('&amp;', utils.xhtml_escape('&'))
self.assertEqual('&gt;', utils.xhtml_escape('>'))
self.assertEqual('&lt;', utils.xhtml_escape('<'))
self.assertEqual('&lt;foo&gt;', utils.xhtml_escape('<foo>'))
def test_hash_file(self):
data = 'Mary had a little lamb, its fleece as white as snow'