openstack/swift
Code Issues Proposed changes

Forbid substrings based on a regexp in name_filter middleware

Browse Source 
In comments from https://review.openstack.org/8798 it was raised that it
might make sense to forbid some substrings in the name_filter
middleware.

There is now a new forbidden_regexp option for the name_filter
middleware to specify which substrings to forbid. The default is
"/\./|/\.\./|/\.$|/\.\.$" (or in a non-regexp language: the /./ and /../
substrings as well as strings ending with /. or /..).

This can be useful for extra paranoia to avoid directory traversals
(bug 1005908), or for more general filtering.

Change-Id: I39bf2de45b9dc7d3ca4d350d24b3f2276e958a62
DocImpact: new forbidden_regexp option for the name_filter middleware
This commit is contained in:
Vincent Untz
2012-07-05 15:43:14 +02:00
parent 31ff3da485
commit faff4ae769
4 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/manpages/proxy-server.conf.5
View File

@@ -427,6 +427,8 @@ The default is \fBegg:swift#name_check\fR.
Characters that will not be allowed in a name.
.IP \fBmaximum_length\fR
Maximum number of characters that can be in the name.
.IP \fBforbidden_regexp\fR
Python regular expressions of substrings that will not be allowed in a name.
.RE