Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/swift/patches/03-CVE-2013-2161.patch
branchs11-update
changeset 3135 0a68f5e884e0 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/swift/patches/03-CVE-2013-2161.patch	Fri May 16 15:26:52 2014 -0700
@@ -0,0 +1,25 @@
+commit 6659382c4fa348e1ebbce2424968dd7267ea1db1
+Author: Alex Gaynor <[email protected]>
+Date:   Mon May 27 02:07:39 2013 +0000
+
+    Check user input in XML responses.
+    
+    Fixes bug 1183884.
+    
+    * swift/account/server.py: Escape account name in XML listings.
+    
+    Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37
+
+diff --git a/swift/account/server.py b/swift/account/server.py
+index 81c4d90..baca5a5 100644
+--- a/swift/account/server.py
++++ b/swift/account/server.py
+@@ -241,7 +241,7 @@ class AccountController(object):
+             account_list = json.dumps(data)
+         elif out_content_type.endswith('/xml'):
+             output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
+-                           '<account name="%s">' % account]
++                           '<account name="%s">' % saxutils.escape(account)]
+             for (name, object_count, bytes_used, is_subdir) in account_list:
+                 name = saxutils.escape(name)
+                 if is_subdir:
upstream/oracle/userland-gate