VYPR
Get started
← All advisories
High severityNVD Advisory· Published Aug 20, 2013· Updated Apr 29, 2026

CVE-2013-2161

CVE-2013-2161

Description

XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
swiftPyPI
< 1.9.01.9.0

Affected products

4

Patches

4
92d7eadd3287

Better escaping for GET /v1/a?format=xml.

https://github.com/openstack/swiftSamuel MerrittJun 13, 2013via ghsa
commit
2 files changed · +38 1
  • swift/account/utils.py+1 1 modified
    @@ -96,7 +96,7 @@ def account_listing_response(account, req, response_content_type, broker=None,
         account_list = json.dumps(data)
     elif response_content_type.endswith('/xml'):
         output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                       '<account name="%s">' % saxutils.escape(account)]
+                       '<account name=%s>' % saxutils.quoteattr(account)]
         for (name, object_count, bytes_used, is_subdir) in account_list:
             name = saxutils.escape(name)
             if is_subdir:
  • test/unit/account/test_server.py+37 0 modified
    @@ -632,6 +632,43 @@ def test_GET_with_containers_xml(self):
         self.assertEquals(node.firstChild.nodeValue, '4')
         self.assertEquals(resp.charset, 'utf-8')
 
+    def test_GET_xml_escapes_account_name(self):
+        req = Request.blank(
+            '/sda1/p/%22%27',   # "'
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '0'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/%22%27?format=xml',
+            environ={'REQUEST_METHOD': 'GET', 'HTTP_X_TIMESTAMP': '1'})
+        resp = self.controller.GET(req)
+
+        dom = xml.dom.minidom.parseString(resp.body)
+        self.assertEquals(dom.firstChild.attributes['name'].value, '"\'')
+
+    def test_GET_xml_escapes_container_name(self):
+        req = Request.blank(
+            '/sda1/p/a',
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '0'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/a/%22%3Cword',  # "<word
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '1',
+                     'HTTP_X_PUT_TIMESTAMP': '1', 'HTTP_X_OBJECT_COUNT': '0',
+                     'HTTP_X_DELETE_TIMESTAMP': '0', 'HTTP_X_BYTES_USED': '1'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/a?format=xml',
+            environ={'REQUEST_METHOD': 'GET', 'HTTP_X_TIMESTAMP': '1'})
+        resp = self.controller.GET(req)
+        dom = xml.dom.minidom.parseString(resp.body)
+
+        self.assertEquals(
+            dom.firstChild.firstChild.nextSibling.firstChild.firstChild.data,
+            '"<word')
+
     def test_GET_limit_marker_plain(self):
         req = Request.blank('/sda1/p/a', environ={'REQUEST_METHOD': 'PUT',
             'HTTP_X_TIMESTAMP': '0'})
6659382c4fa3

Check user input in XML responses.

https://github.com/openstack/swiftAlex GaynorMay 27, 2013via ghsa
commit
1 file changed · +1 1
  • swift/account/server.py+1 1 modified
    @@ -241,7 +241,7 @@ def GET(self, req):
             account_list = json.dumps(data)
         elif out_content_type.endswith('/xml'):
             output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                           '<account name="%s">' % account]
+                           '<account name="%s">' % saxutils.escape(account)]
             for (name, object_count, bytes_used, is_subdir) in account_list:
                 name = saxutils.escape(name)
                 if is_subdir:
4eed6bf5b502

Check user input in XML responses.

https://github.com/openstack/swiftAlex GaynorMay 27, 2013via ghsa
commit
1 file changed · +1 1
  • swift/account/server.py+1 1 modified
    @@ -275,7 +275,7 @@ def GET(self, req):
             account_list = json.dumps(data)
         elif out_content_type.endswith('/xml'):
             output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                           '<account name="%s">' % account]
+                           '<account name="%s">' % saxutils.escape(account)]
             for (name, object_count, bytes_used, is_subdir) in account_list:
                 name = saxutils.escape(name)
                 if is_subdir:
8f9b135e0a16

Checked user input in XML responses.

https://github.com/openstack/swiftAlex GaynorMay 27, 2013via ghsa
commit
1 file changed · +1 1
  • swift/account/utils.py+1 1 modified
    @@ -96,7 +96,7 @@ def account_listing_response(account, req, response_content_type, broker=None,
         account_list = json.dumps(data)
     elif response_content_type.endswith('/xml'):
         output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                       '<account name="%s">' % account]
+                       '<account name="%s">' % saxutils.escape(account)]
         for (name, object_count, bytes_used, is_subdir) in account_list:
             name = saxutils.escape(name)
             if is_subdir:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.