openstack
/
swift
Code Issues Proposed changes
swift/swift/common
History
Aymeric Ducroquetz d8d04ef43c s3api: Prevent XXE injections 
Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.

Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.

[CVE-2022-47950]

Closes-Bug: #1998625
Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
(cherry picked from commit b8467e190f)
 		2023-01-19 14:35:25 -08:00
..
middleware s3api: Prevent XXE injections 2023-01-19 14:35:25 -08:00
ring reconciler: PPI aware reconciler 2021-07-13 13:55:13 +10:00
__init__.py Start using Hacking 2013-07-15 11:41:58 +02:00
base_storage_server.py Allow replication servers to handle all request methods 2020-07-23 09:11:07 -07:00
bufferedhttp.py bufferedhttp: Tolerate socket being None 2021-06-28 16:16:27 -07:00
constraints.py Deprecate per-service auto_create_account_prefix 2020-01-05 09:53:30 -06:00
container_sync_realms.py Allow floats for a couple more intervals 2021-06-07 15:34:19 -07:00
daemon.py Enable systemd notify sockets for more daemons 2021-04-20 15:38:57 -07:00
db.py Consider tombstone count before shrinking a shard 2021-05-07 18:41:18 +01:00
db_auditor.py recon: refactor common recon names into a common location 2021-06-29 15:22:57 -07:00
db_replicator.py db: Attempt to clean up part dir post replication 2022-02-22 16:05:28 -08:00
direct_client.py Plumb sharding stats though recon middleware 2021-02-26 15:51:06 +00:00
exceptions.py Refactor db auditors into a db_auditor base class 2021-04-09 12:01:21 +10:00
header_key_dict.py py3: Fix s3api header casing 2019-11-20 12:14:35 -08:00
http.py s3api: Better handle 498/429 responses 2019-12-05 09:42:33 -08:00
http_protocol.py Inline parse_request from cpython 2022-12-19 16:13:11 -08:00
internal_client.py Proxy: override user_agent with backend_user_agent 2022-01-28 09:46:56 -06:00
linkat.py pep8: Turn on E305 2020-04-03 21:22:38 +02:00
manager.py swift-init: Re-enable targeted configs 2021-01-15 13:00:24 -08:00
memcached.py memcache: Add an item_size_warning_threshold option 2022-02-15 16:54:17 +00:00
recon.py recon: refactor common recon names into a common location 2021-06-29 15:22:57 -07:00
registry.py Add docs for registry module 2022-02-10 11:17:06 -08:00
request_helpers.py Use cached shard ranges for container GETs 2021-01-06 16:28:49 +00:00
splice.py pep8: Turn on E305 2020-04-03 21:22:38 +02:00
storage_policy.py reconciler: PPI aware reconciler 2021-07-13 13:55:13 +10:00
swob.py Fix some imports for py310 2021-11-25 14:54:17 -08:00
utils.py Quiet more BadStatusLine tracebacks 2022-02-10 16:53:29 -08:00
wsgi.py Extract SwiftHttpProtocol to its own module 2022-12-19 16:13:11 -08:00