Escape ec2 XML error responses
Fixes bug 978439 XML error responses to ec2 calls include user supplied data that is not escaped. This could result in returning invalid XML. This is addressed by using utils.xhtml_escape() on purposeful eC2 error responses and when handling webob.exc.HTTPException. Extended the tests for utils.xhtml_escape() to cover '&', '>', '<' and a tag look-alike. These conversions are implicit to saxutils.escape(). Change-Id: Icb3e861c6c06c0d9c3b9e2ab1a658581a0fb39c6
This commit is contained in:
parent
0318efe625
commit
f86b24935c
@ -84,8 +84,9 @@ def ec2_error(req, request_id, code, message):
|
||||
'<Response><Errors><Error><Code>%s</Code>'
|
||||
'<Message>%s</Message></Error></Errors>'
|
||||
'<RequestID>%s</RequestID></Response>' %
|
||||
(utils.utf8(code), utils.utf8(message),
|
||||
utils.utf8(request_id)))
|
||||
(utils.xhtml_escape(utils.utf8(code)),
|
||||
utils.xhtml_escape(utils.utf8(message)),
|
||||
utils.xhtml_escape(utils.utf8(request_id))))
|
||||
return resp
|
||||
|
||||
|
||||
|
@ -58,7 +58,8 @@ class Fault(webob.exc.HTTPException):
|
||||
'<Response><Errors><Error><Code>%s</Code>'
|
||||
'<Message>%s</Message></Error></Errors>'
|
||||
'<RequestID>%s</RequestID></Response>' %
|
||||
(utils.utf8(code), utils.utf8(message),
|
||||
utils.utf8(ctxt.request_id)))
|
||||
(utils.xhtml_escape(utils.utf8(code)),
|
||||
utils.xhtml_escape(utils.utf8(message)),
|
||||
utils.xhtml_escape(utils.utf8(ctxt.request_id))))
|
||||
|
||||
return resp
|
||||
|
@ -460,6 +460,10 @@ class GenericUtilsTestCase(test.TestCase):
|
||||
def test_xhtml_escape(self):
|
||||
self.assertEqual('"foo"', utils.xhtml_escape('"foo"'))
|
||||
self.assertEqual(''foo'', utils.xhtml_escape("'foo'"))
|
||||
self.assertEqual('&', utils.xhtml_escape('&'))
|
||||
self.assertEqual('>', utils.xhtml_escape('>'))
|
||||
self.assertEqual('<', utils.xhtml_escape('<'))
|
||||
self.assertEqual('<foo>', utils.xhtml_escape('<foo>'))
|
||||
|
||||
def test_hash_file(self):
|
||||
data = 'Mary had a little lamb, its fleece as white as snow'
|
||||
|
Loading…
Reference in New Issue
Block a user