openstack
/
swift
Code Issues Proposed changes
swift/test/unit/common
History
Aymeric Ducroquetz d8d04ef43c s3api: Prevent XXE injections 
Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.

Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.

[CVE-2022-47950]

Closes-Bug: #1998625
Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
(cherry picked from commit b8467e190f)
 		2023-01-19 14:35:25 -08:00
..
middleware s3api: Prevent XXE injections 2023-01-19 14:35:25 -08:00
ring Close ring gz file after loading 2021-03-10 19:09:13 +00:00
__init__.py Initial commit of Swift code 2010-07-12 17:03:45 -05:00
corrupted_example.db Real files for bad databases. 2011-08-02 18:21:25 +00:00
malformed_example.db Real files for bad databases. 2011-08-02 18:21:25 +00:00
malformed_schema_example.db Quarantine malformed database schema SQLite errors 2016-12-01 14:17:02 +11:00
missing_container_info.db Quarantine DB without *_stat row 2018-02-07 19:35:05 +01:00
test_base_storage_server.py Allow replication servers to handle all request methods 2020-07-23 09:11:07 -07:00
test_bufferedhttp.py bufferedhttp: Tolerate socket being None 2021-06-28 16:16:27 -07:00
test_constraints.py Deprecate per-service auto_create_account_prefix 2020-01-05 09:53:30 -06:00
test_container_sync_realms.py Allow floats for a couple more intervals 2021-06-07 15:34:19 -07:00
test_daemon.py Cleanup tests' import of debug_logger 2021-04-27 12:04:41 +01:00
test_db.py Consider tombstone count before shrinking a shard 2021-05-07 18:41:18 +01:00
test_db_auditor.py recon: refactor common recon names into a common location 2021-06-29 15:22:57 -07:00
test_db_replicator.py db: Attempt to clean up part dir post replication 2022-02-22 16:05:28 -08:00
test_direct_client.py Cleanup tests' import of debug_logger 2021-04-27 12:04:41 +01:00
test_exceptions.py tests: Clean up some dangling timeouts 2022-01-28 17:48:03 -08:00
test_header_key_dict.py py3: Fix title-casing in HeaderKeyDict 2019-07-25 12:55:03 -07:00
test_http_protocol.py Inline parse_request from cpython 2022-12-19 16:13:11 -08:00
test_internal_client.py Proxy: override user_agent with backend_user_agent 2022-01-28 09:46:56 -06:00
test_linkat.py Fix tests using O_TMPFILE 2018-03-13 12:06:07 +00:00
test_manager.py Don't require swift be installed to have passing manager tests 2021-03-18 16:35:05 -07:00
test_memcached.py memcache: Add an item_size_warning_threshold option 2022-02-15 16:54:17 +00:00
test_recon.py recon: refactor common recon names into a common location 2021-06-29 15:22:57 -07:00
test_registry.py Add docs for registry module 2022-02-10 11:17:06 -08:00
test_request_helpers.py Only test with &-delimited query strings 2021-03-18 16:23:23 -07:00
test_splice.py No longer import nose 2017-11-07 15:39:25 +11:00
test_storage_policy.py reconciler: PPI aware reconciler 2021-07-13 13:55:13 +10:00
test_swob.py Quote paths before sending them to swob.Request.blank 2021-05-27 12:22:57 -07:00
test_utils.py Quiet more BadStatusLine tracebacks 2022-02-10 16:53:29 -08:00
test_wsgi.py Extract SwiftHttpProtocol to its own module 2022-12-19 16:13:11 -08:00