openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update swift from branch 'master'
  to 046430f08f1a34a6d3913bad3f7b5a0f7e486fc2
  - Merge "s3api: Prevent XXE injections"
  - s3api: Prevent XXE injections
    
    Previously, clients could use XML external entities (XXEs) to read
    arbitrary files from proxy-servers and inject the content into the
    request. Since many S3 APIs reflect request content back to the user,
    this could be used to extract any secrets that the swift user could
    read, such as tempauth credentials, keymaster secrets, etc.
    
    Now, disable entity resolution -- any unknown entities will be replaced
    with an empty string. Without resolving the entities, the request is
    still processed.
    
    [CVE-2022-47950]
    
    Closes-Bug: #1998625
    Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
    Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
This commit is contained in:
Zuul 2023-01-18 07:01:01 +00:00 committed by Gerrit Code Review
parent f87ae21a2f
commit bceb090a66
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
swift

@ -1 +1 @@
Subproject commit 5344ecf0e56e96c7c5bec3fba35c3bba4ed64180
Subproject commit 046430f08f1a34a6d3913bad3f7b5a0f7e486fc2