OpenStack Object Storage (swift)

  1. Bug #1998625
  2. Comment #52

Comment 52 for bug 1998625

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (stable/stein)

Reviewed: https://review.opendev.org/c/openstack/swift/+/871501
Committed: https://opendev.org/openstack/swift/commit/12e54391861e7d182d58f89fb88b027e65842640
Submitter: "Zuul (22348)"
Branch: stable/stein

commit 12e54391861e7d182d58f89fb88b027e65842640
Author: Aymeric Ducroquetz <email address hidden>
Date: Tue Oct 25 22:07:53 2022 +0200

    s3api: Prevent XXE injections

    Previously, clients could use XML external entities (XXEs) to read
    arbitrary files from proxy-servers and inject the content into the
    request. Since many S3 APIs reflect request content back to the user,
    this could be used to extract any secrets that the swift user could
    read, such as tempauth credentials, keymaster secrets, etc.

    Now, disable entity resolution -- any unknown entities will be replaced
    with an empty string. Without resolving the entities, the request is
    still processed.

    [CVE-2022-47950]

    Closes-Bug: #1998625
    Co-Authored-By: Romain de Joux <email address hidden>
    Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096
    (cherry picked from commit b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e)