Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.
Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.
Reviewed: https:/ /review. opendev. org/c/openstack /swift/ +/870823 /opendev. org/openstack/ swift/commit/ b8467e190f6fc67 fd8fb6a8c5e32b2 aa6a10fd8e
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit b8467e190f6fc67 fd8fb6a8c5e32b2 aa6a10fd8e
Author: Aymeric Ducroquetz <email address hidden>
Date: Tue Oct 25 22:07:53 2022 +0200
s3api: Prevent XXE injections
Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.
Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.
[CVE- 2022-47950]
Closes-Bug: #1998625 234098c554ecd3e 77981f8a096
Co-Authored-By: Romain de Joux <email address hidden>
Change-Id: I84494123cfc85e