--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/swift/patches/03-CVE-2013-2161.patch Fri May 16 15:26:52 2014 -0700
@@ -0,0 +1,25 @@
+commit 6659382c4fa348e1ebbce2424968dd7267ea1db1
+Author: Alex Gaynor <[email protected]>
+Date: Mon May 27 02:07:39 2013 +0000
+
+ Check user input in XML responses.
+
+ Fixes bug 1183884.
+
+ * swift/account/server.py: Escape account name in XML listings.
+
+ Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37
+
+diff --git a/swift/account/server.py b/swift/account/server.py
+index 81c4d90..baca5a5 100644
+--- a/swift/account/server.py
++++ b/swift/account/server.py
+@@ -241,7 +241,7 @@ class AccountController(object):
+ account_list = json.dumps(data)
+ elif out_content_type.endswith('/xml'):
+ output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
+- '<account name="%s">' % account]
++ '<account name="%s">' % saxutils.escape(account)]
+ for (name, object_count, bytes_used, is_subdir) in account_list:
+ name = saxutils.escape(name)
+ if is_subdir: