OpenStack Security Advisory

  1. Bug #1998625
  2. Comment #39

Comment 39 for bug 1998625

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (master)

Reviewed: https://review.opendev.org/c/openstack/swift/+/870823
Committed: https://opendev.org/openstack/swift/commit/b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e
Submitter: "Zuul (22348)"
Branch: master

commit b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e
Author: Aymeric Ducroquetz <email address hidden>
Date: Tue Oct 25 22:07:53 2022 +0200

    s3api: Prevent XXE injections

    Previously, clients could use XML external entities (XXEs) to read
    arbitrary files from proxy-servers and inject the content into the
    request. Since many S3 APIs reflect request content back to the user,
    this could be used to extract any secrets that the swift user could
    read, such as tempauth credentials, keymaster secrets, etc.

    Now, disable entity resolution -- any unknown entities will be replaced
    with an empty string. Without resolving the entities, the request is
    still processed.

    [CVE-2022-47950]

    Closes-Bug: #1998625
    Co-Authored-By: Romain de Joux <email address hidden>
    Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096