From f86b24935cf122183fcb9c523041d22071c3c0f1 Mon Sep 17 00:00:00 2001 From: Andrew James Date: Thu, 30 Aug 2012 17:15:35 -0600 Subject: Escape ec2 XML error responses Fixes bug 978439 XML error responses to ec2 calls include user supplied data that is not escaped. This could result in returning invalid XML. This is addressed by using utils.xhtml_escape() on purposeful eC2 error responses and when handling webob.exc.HTTPException. Extended the tests for utils.xhtml_escape() to cover '&', '>', '<' and a tag look-alike. These conversions are implicit to saxutils.escape(). Change-Id: Icb3e861c6c06c0d9c3b9e2ab1a658581a0fb39c6 --- nova/api/ec2/__init__.py | 5 +++-- nova/api/ec2/faults.py | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py index 9613d0f8b..2ae685cec 100644 --- a/nova/api/ec2/__init__.py +++ b/nova/api/ec2/__init__.py @@ -84,8 +84,9 @@ def ec2_error(req, request_id, code, message): '%s' '%s' '%s' % - (utils.utf8(code), utils.utf8(message), - utils.utf8(request_id))) + (utils.xhtml_escape(utils.utf8(code)), + utils.xhtml_escape(utils.utf8(message)), + utils.xhtml_escape(utils.utf8(request_id)))) return resp diff --git a/nova/api/ec2/faults.py b/nova/api/ec2/faults.py index 92bb4f6e7..ef16f086e 100644 --- a/nova/api/ec2/faults.py +++ b/nova/api/ec2/faults.py @@ -58,7 +58,8 @@ class Fault(webob.exc.HTTPException): '%s' '%s' '%s' % - (utils.utf8(code), utils.utf8(message), - utils.utf8(ctxt.request_id))) + (utils.xhtml_escape(utils.utf8(code)), + utils.xhtml_escape(utils.utf8(message)), + utils.xhtml_escape(utils.utf8(ctxt.request_id)))) return resp -- cgit