OpenStack Object Storage (swift)

Bug #1998625
Comment #13

Comment 13 for bug 1998625

Revision history for this message

Tim Burke (1-tim-z) wrote on 2022-12-13: Re: Arbitrary file access through custom S3 XML entities

#13

0001-s3api-Prevent-XXE-injections.patch Edit (12.5 KiB, text/plain)

Good call on the py2 fixups, Matt, thanks! There was one more f-string in test_complete_multipart_upload I've fixed up.

Getting an unexpected 500 in test_put_bucket_acl -- server logs have

Dec 13 17:13:05 saio proxy-server: __str__ returned non-string (type NoneType):
Traceback (most recent call last):
  File "/vagrant/swift/swift/common/middleware/s3api/s3api.py", line 345, in __call__
    resp = self.handle_request(req)
  File "/vagrant/swift/swift/common/middleware/s3api/s3api.py", line 383, in handle_request
    res = handler(req)
  File "/vagrant/swift/swift/common/middleware/s3api/controllers/s3_acl.py", line 65, in PUT
    req.get_response(self.app, 'POST')
  File "/vagrant/swift/swift/common/middleware/s3api/s3request.py", line 1615, in get_response
    resp = self.acl_handler.handle_acl(
  File "/vagrant/swift/swift/common/middleware/s3api/acl_handlers.py", line 94, in handle_acl
    return getattr(ah, method)(app)
  File "/vagrant/swift/swift/common/middleware/s3api/acl_handlers.py", line 291, in POST
    'Grant %s %s permission on the bucket /%s' %
TypeError: __str__ returned non-string (type NoneType) (txn: txa58de4ecc14e45f7ac5a0-006398b2a1) (client_ip: 192.168.8.1)

I think I see the problem, but I'll just update the test to avoid it for now and write up a separate bug.