OpenStack Object Storage (swift)

  1. Bug #1998625
  2. Comment #50

Comment 50 for bug 1998625

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/swift/+/871243
Committed: https://opendev.org/openstack/swift/commit/baa98848451b5c234443a068691e12841a5a8383
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit baa98848451b5c234443a068691e12841a5a8383
Author: Aymeric Ducroquetz <email address hidden>
Date: Tue Oct 25 22:07:53 2022 +0200

    s3api: Prevent XXE injections

    Previously, clients could use XML external entities (XXEs) to read
    arbitrary files from proxy-servers and inject the content into the
    request. Since many S3 APIs reflect request content back to the user,
    this could be used to extract any secrets that the swift user could
    read, such as tempauth credentials, keymaster secrets, etc.

    Now, disable entity resolution -- any unknown entities will be replaced
    with an empty string. Without resolving the entities, the request is
    still processed.

    [CVE-2022-47950]

    Closes-Bug: #1998625
    Co-Authored-By: Romain de Joux <email address hidden>
    Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
    (cherry picked from commit b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e)