equal
deleted
inserted
replaced
1 commit 6659382c4fa348e1ebbce2424968dd7267ea1db1 |
|
2 Author: Alex Gaynor <[email protected]> |
|
3 Date: Mon May 27 02:07:39 2013 +0000 |
|
4 |
|
5 Check user input in XML responses. |
|
6 |
|
7 Fixes bug 1183884. |
|
8 |
|
9 * swift/account/server.py: Escape account name in XML listings. |
|
10 |
|
11 Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37 |
|
12 |
|
13 diff --git a/swift/account/server.py b/swift/account/server.py |
|
14 index 81c4d90..baca5a5 100644 |
|
15 --- a/swift/account/server.py |
|
16 +++ b/swift/account/server.py |
|
17 @@ -241,7 +241,7 @@ class AccountController(object): |
|
18 account_list = json.dumps(data) |
|
19 elif out_content_type.endswith('/xml'): |
|
20 output_list = ['<?xml version="1.0" encoding="UTF-8"?>', |
|
21 - '<account name="%s">' % account] |
|
22 + '<account name="%s">' % saxutils.escape(account)] |
|
23 for (name, object_count, bytes_used, is_subdir) in account_list: |
|
24 name = saxutils.escape(name) |
|
25 if is_subdir: |
|