Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/swift/patches/03-CVE-2013-2161.patch
changeset 1944 56ac2df1785b
parent 1943 1a27f000029f
child 1945 3dc1935a2189
equal deleted inserted replaced
1943:1a27f000029f 1944:56ac2df1785b 
     1 commit 6659382c4fa348e1ebbce2424968dd7267ea1db1
 
       
     2 Author: Alex Gaynor <[email protected]>
 
       
     3 Date:   Mon May 27 02:07:39 2013 +0000
 
       
     4 
       
     5     Check user input in XML responses.
 
       
     6     
       
     7     Fixes bug 1183884.
 
       
     8     
       
     9     * swift/account/server.py: Escape account name in XML listings.
 
       
    10     
       
    11     Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37
 
       
    12 
       
    13 diff --git a/swift/account/server.py b/swift/account/server.py
 
       
    14 index 81c4d90..baca5a5 100644
 
       
    15 --- a/swift/account/server.py
 
       
    16 +++ b/swift/account/server.py
 
       
    17 @@ -241,7 +241,7 @@ class AccountController(object):
 
       
    18              account_list = json.dumps(data)
 
       
    19          elif out_content_type.endswith('/xml'):
 
       
    20              output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
 
       
    21 -                           '<account name="%s">' % account]
 
       
    22 +                           '<account name="%s">' % saxutils.escape(account)]
 
       
    23              for (name, object_count, bytes_used, is_subdir) in account_list:
 
       
    24                  name = saxutils.escape(name)
 
       
    25                  if is_subdir:
upstream/oracle/userland-gate