openstack
/
swift
Code Issues Proposed changes

Merge "Quote paths before sending them to swob.Request.blank"

This commit is contained in:
Zuul 2021-05-31 23:22:36 +00:00 committed by Gerrit Code Review
parent 1ba17f6354 2b5853f419
commit 2c71e7416c
2 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test/unit/common/middleware/test_tempurl.py
View File

@ -35,6 +35,7 @@ import mock
import unittest import unittest
import hashlib import hashlib
import six import six
from six.moves.urllib.parse import quote
from time import time, strftime, gmtime from time import time, strftime, gmtime
from swift.common.middleware import tempauth, tempurl from swift.common.middleware import tempauth, tempurl
@ -350,7 +351,7 @@ class TestTempURL(unittest.TestCase):
key = b'abc' key = b'abc'
hmac_body = ('%s\n%i\n%s' % (method, expires, path)).encode('utf-8') hmac_body = ('%s\n%i\n%s' % (method, expires, path)).encode('utf-8')
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest() sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
req = self._make_request(path, keys=[key], environ={ req = self._make_request(quote(path), keys=[key], environ={
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % ( 'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)}) sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')])) self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))

12
test/unit/common/test_swob.py
View File

@ -789,14 +789,8 @@ class TestRequest(unittest.TestCase):
hacker = 'account-name\n\n<b>foo<br>' # url injection test hacker = 'account-name\n\n<b>foo<br>' # url injection test
quoted_hacker = quote(hacker) quoted_hacker = quote(hacker)
req = swob.Request.blank('/v1/' + hacker)
resp = req.get_response(test_app)
self.assertEqual(resp.status_int, 401)
self.assertTrue('Www-Authenticate' in resp.headers)
self.assertEqual('Swift realm="%s"' % quoted_hacker,
resp.headers['Www-Authenticate'])
req = swob.Request.blank('/v1/' + quoted_hacker) req = swob.Request.blank('/v1/' + quoted_hacker)
self.assertIn(hacker, req.environ['PATH_INFO']) # sanity check
resp = req.get_response(test_app) resp = req.get_response(test_app)
self.assertEqual(resp.status_int, 401) self.assertEqual(resp.status_int, 401)
self.assertTrue('Www-Authenticate' in resp.headers) self.assertTrue('Www-Authenticate' in resp.headers)
@ -974,11 +968,11 @@ class TestRequest(unittest.TestCase):
self.assertEqual(_test_split_path('/a/c/', 2), ['a', 'c']) self.assertEqual(_test_split_path('/a/c/', 2), ['a', 'c'])
self.assertEqual(_test_split_path('/a/c/', 2, 3), ['a', 'c', '']) self.assertEqual(_test_split_path('/a/c/', 2, 3), ['a', 'c', ''])
try: try:
_test_split_path('o\nn e', 2) _test_split_path('o%0an e', 2)
except ValueError as err: except ValueError as err:
self.assertEqual(str(err), 'Invalid path: o%0An%20e') self.assertEqual(str(err), 'Invalid path: o%0An%20e')
try: try:
_test_split_path('o\nn e', 2, 3, True) _test_split_path('o%0an e', 2, 3, True)
except ValueError as err: except ValueError as err:
self.assertEqual(str(err), 'Invalid path: o%0An%20e') self.assertEqual(str(err), 'Invalid path: o%0An%20e')