OpenStack Object Storage (swift)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1327414
Comment #0

Comment 0 for bug 1327414

Revision history for this message

John Dickinson (notmyname) wrote on 2014-06-06: www-authenticate value isn't quoted

The WWW-Authenticate header value (returned on a 401 response) includes user-supplied strings to indicate the proper auth realm. However, Swift un-quotes the URL and then sets the value in the response. This means that a URL can be constructed that includes new HTML content at the hoster's own domain.

For example:

http://saio:8080/v1/AUTH_infra%0A%0A%3Cb%3EHello%20World%3Cp%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3EYou%20should%20not%20see%20this%3Cp%20style%3D%22display%3A%20hidden%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E

The fix is to ensure the www-authenticate value is quoted