openstack/swift
Code Issues Proposed changes
2.29.2
swift/swift/common/middleware
History
Aymeric Ducroquetz d8d04ef43c s3api: Prevent XXE injections 
Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.

Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.

[CVE-2022-47950]

Closes-Bug: #1998625
Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
(cherry picked from commit b8467e190f)
2023-01-19 14:35:25 -08:00
..
crypto Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
s3api s3api: Prevent XXE injections 2023-01-19 14:35:25 -08:00
versioned_writes Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
x_profile Update hacking for Python3 2020-04-03 21:21:07 +02:00
__init__.py Rewrite redirection in cname_lookup & domain_remap 2017-05-11 09:46:29 -04:00
account_quotas.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
acl.py Use == to compare against the empty string, not is 2019-10-14 17:40:42 -07:00
bulk.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
catch_errors.py Merge "Content-Length enforcement fixups" 2018-06-29 05:43:39 +00:00
cname_lookup.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
container_quotas.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
container_sync.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
copy.py New Object Versioning mode 2020-01-24 17:39:56 -08:00
crossdomain.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
dlo.py replace md5 with swift utils version 2020-12-15 09:52:55 -05:00
domain_remap.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
etag_quoter.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
formpost.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
gatekeeper.py Allow internal clients to use reserved namespace 2019-11-27 11:22:00 -06:00
healthcheck.py py3: port healthcheck 2018-06-26 13:20:49 -07:00
keystoneauth.py Add a project scope read-only role to keystoneauth 2021-08-02 14:35:32 -05:00
list_endpoints.py Update SAIO & docker image to use 62xx ports 2020-07-20 15:17:12 -07:00
listing_formats.py Fix up some Content-Type handling in account/container listings 2020-02-28 18:32:38 -08:00
memcache.py memcache: Add an item_size_warning_threshold option 2022-02-15 16:54:17 +00:00
name_check.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
proxy_logging.py Trim sensitive information in the logs (CVE-2017-8761) 2022-02-09 10:53:46 +00:00
ratelimit.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
read_only.py read-only: Only act on Swift paths 2022-02-09 14:01:42 -08:00
recon.py Add and pipe reconstructor stats through recon 2021-08-20 00:03:40 +00:00
slo.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
staticweb.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
symlink.py Move *_swift_info functions into a new registry module 2022-02-03 14:41:13 +00:00
tempauth.py Deprecate LogAdapter.set_statsd_prefix 2022-02-07 17:46:06 +00:00
tempurl.py Stop partial()ing hashlib.new 2022-06-30 10:24:10 +02:00
xprofile.py Python3: fix test_xprofile.py 2018-12-12 20:26:10 +01:00