The fix attached to https://bugs.launchpad.net/swift/+bug/1998625/comments/13 seems to prevent the bad request being accepted but I get an InternalServer error:
```
vagrant@vagrant:~$ curl 'http://saio3:8080/my-bucket?acl=' -X PUT -H "Host: saio3:8080" -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "X-Amz-Content-Sha256: cfef77034aa96b13190894b26347367d4e95bc3aa2212f467eaae66c75250510" -H "X-Amz-Date: 20221220T193239Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=test:tester/20221220/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=660efe254e6d3210293e778718b5391ca831e2c814c8ec1ebb9300d004430d78" --data-binary ' ]>
test:tester
test:tester
&xxe;
&xxe;
WRITE
'
InternalError
We encountered an internal error. Please try again.tx9ad37d73d7c542c7b8ca0-0063a20f21__str__ returned non-string (type NoneType)
```
I fixed that with this change (but I am new to this code so not sure this is sufficient or appropriate):
```
diff --git a/swift/common/middleware/s3api/subresource.py b/swift/common/middleware/s3api/subresource.py
index 1aa47b4b2..cb7f2c7b5 100644
--- a/swift/common/middleware/s3api/subresource.py
+++ b/swift/common/middleware/s3api/subresource.py
@@ -167,6 +167,8 @@ class Grantee(object):
type = elem.get('{%s}type' % XMLNS_XSI)
if type == 'CanonicalUser':
value = elem.find('./ID').text
+ if not value:
+ raise MalformedACLError()
return User(value)
elif type == 'Group':
value = elem.find('./URI').text
```
resulting in:
```
vagrant@vagrant:~$ curl 'http://saio3:8080/my-bucket?acl=' -X PUT -H "Host: saio3:8080" -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "X-Amz-Content-Sha256: cfef77034aa96b13190894b26347367d4e95bc3aa2212f467eaae66c75250510" -H "X-Amz-Date: 20221220T193239Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=test:tester/20221220/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=660efe254e6d3210293e778718b5391ca831e2c814c8ec1ebb9300d004430d78" --data-binary ' ]>
test:tester
test:tester
&xxe;
&xxe;
WRITE
'
MalformedACLError
The XML you provided was not well-formed or did not validate against our published schema.tx985d10197d15433489726-0063a20faf
```