--- a/components/openstack/swift/patches/CVE-2015-5223.patch Fri Feb 05 11:09:10 2016 -0800
+++ b/components/openstack/swift/patches/CVE-2015-5223.patch Fri Feb 05 17:54:17 2016 -0500
@@ -1,3 +1,6 @@
+This upstream patch addresses CVE-2015-5223 in swift. It may be removed
+when swift 2.4.0 or later is integrated.
+
From 0694e1911d10a18075ff99462c96781372422b2c Mon Sep 17 00:00:00 2001
From: Clay Gerrard <[email protected]>
Date: Thu, 23 Jul 2015 22:36:21 -0700
@@ -25,20 +28,13 @@
Closes-Bug: 1453948
Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8
----
- swift/common/middleware/tempurl.py | 31 ++++++++++++++++++++++++-
- test/functional/tests.py | 36 +++++++++++++++++++++++++++++
- test/unit/common/middleware/test_tempurl.py | 19 +++++++++++++++
- 3 files changed, 85 insertions(+), 1 deletion(-)
-diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py
-index c2381b3..1f94e8d 100644
---- a/swift/common/middleware/tempurl.py
-+++ b/swift/common/middleware/tempurl.py
-@@ -119,11 +119,13 @@ from urllib import urlencode
+--- swift-2.3.0/swift/common/middleware/tempurl.py.~1~ 2015-04-30 09:57:42.000000000 -0400
++++ swift-2.3.0/swift/common/middleware/tempurl.py 2015-11-03 17:11:02.364113024 -0500
+@@ -122,11 +122,13 @@
from urlparse import parse_qs
- from swift.proxy.controllers.base import get_account_info
+ from swift.proxy.controllers.base import get_account_info, get_container_info
-from swift.common.swob import HeaderKeyDict, HTTPUnauthorized
+from swift.common.swob import HeaderKeyDict, HTTPUnauthorized, HTTPBadRequest
from swift.common.utils import split_path, get_valid_utf8_str, \
@@ -50,7 +46,7 @@
#: Default headers to remove from incoming requests. Simply a whitespace
#: delimited list of header names and names can optionally end with '*' to
#: indicate a prefix match. DEFAULT_INCOMING_ALLOW_HEADERS is a list of
-@@ -227,6 +229,10 @@ class TempURL(object):
+@@ -230,6 +232,10 @@
#: The methods allowed with Temp URLs.
self.methods = methods
@@ -61,7 +57,7 @@
headers = DEFAULT_INCOMING_REMOVE_HEADERS
if 'incoming_remove_headers' in conf:
headers = conf['incoming_remove_headers']
-@@ -320,6 +326,13 @@ class TempURL(object):
+@@ -323,6 +329,13 @@
for hmac in hmac_vals)
if not is_valid_hmac:
return self._invalid(env, start_response)
@@ -75,7 +71,7 @@
self._clean_incoming_headers(env)
env['swift.authorize'] = lambda req: None
env['swift.authorize_override'] = True
-@@ -456,6 +469,22 @@ class TempURL(object):
+@@ -465,6 +478,22 @@
body = '401 Unauthorized: Temp URL invalid\n'
return HTTPUnauthorized(body=body)(env, start_response)
@@ -98,11 +94,9 @@
def _clean_incoming_headers(self, env):
"""
Removes any headers from the WSGI environment as per the
-diff --git a/test/functional/tests.py b/test/functional/tests.py
-index e57f22b..654949f 100644
---- a/test/functional/tests.py
-+++ b/test/functional/tests.py
-@@ -2687,6 +2687,42 @@ class TestTempurl(Base):
+--- swift-2.3.0/test/functional/tests.py.~1~ 2015-04-30 09:57:42.000000000 -0400
++++ swift-2.3.0/test/functional/tests.py 2015-11-03 15:27:42.202245458 -0500
+@@ -2732,6 +2732,42 @@
self.assert_(new_obj.info(parms=put_parms,
cfg={'no_auth_token': True}))
@@ -145,11 +139,9 @@
def test_HEAD(self):
expires = int(time.time()) + 86400
sig = self.tempurl_sig(
-diff --git a/test/unit/common/middleware/test_tempurl.py b/test/unit/common/middleware/test_tempurl.py
-index 0581077..ffb3b98 100644
---- a/test/unit/common/middleware/test_tempurl.py
-+++ b/test/unit/common/middleware/test_tempurl.py
-@@ -623,6 +623,25 @@ class TestTempURL(unittest.TestCase):
+--- swift-2.3.0/test/unit/common/middleware/test_tempurl.py.~1~ 2015-04-30 09:57:42.000000000 -0400
++++ swift-2.3.0/test/unit/common/middleware/test_tempurl.py 2015-11-03 15:27:42.202552552 -0500
+@@ -649,6 +649,25 @@
self.assertTrue('Temp URL invalid' in resp.body)
self.assertTrue('Www-Authenticate' in resp.headers)
@@ -175,6 +167,3 @@
def test_removed_incoming_header(self):
self.tempurl = tempurl.filter_factory({
'incoming_remove_headers': 'x-remove-this'})(self.auth)
---
-cgit v0.11.2
-