Repository: cloudstack Updated Branches: refs/heads/bugfix/CID-1232333 [created] 9eb2b2763
Fix for CID-1232333, CID-1232334, CID-1232335, CID-1232336 and CID-1232337 Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9eb2b276 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9eb2b276 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9eb2b276 Branch: refs/heads/bugfix/CID-1232333 Commit: 9eb2b2763c2e42eb123969173b0399678ff4d50b Parents: 49de3ab Author: Hugo Trippaers <htrippa...@schubergphilis.com> Authored: Tue Sep 23 11:23:20 2014 +0200 Committer: Hugo Trippaers <htrippa...@schubergphilis.com> Committed: Tue Sep 23 11:23:20 2014 +0200 ---------------------------------------------------------------------- .../service/controller/s3/S3BucketAction.java | 96 ++++++++++---------- 1 file changed, 47 insertions(+), 49 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9eb2b276/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java ---------------------------------------------------------------------- diff --git a/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java b/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java index 788f35a..6f6f12f 100644 --- a/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java +++ b/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java @@ -35,6 +35,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.stream.XMLStreamException; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.log4j.Logger; import org.json.simple.parser.ParseException; import org.w3c.dom.Document; @@ -43,7 +44,6 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import com.amazon.s3.GetBucketAccessControlPolicyResponse; -import com.amazon.s3.ListAllMyBucketsResponse; import com.amazon.s3.ListBucketResponse; import com.cloud.bridge.io.MTOMAwareResultStreamWriter; @@ -327,18 +327,18 @@ public class S3BucketAction implements ServletAction { S3PolicyContext context = new S3PolicyContext(PolicyActions.PutBucketPolicy, bucketName); switch (S3Engine.verifyPolicy(context)) { - case ALLOW: - break; + case ALLOW: + break; - case DEFAULT_DENY: - if (null != owner && !client.equals(owner)) { - response.setStatus(405); - return; - } - break; - case DENY: - response.setStatus(403); + case DEFAULT_DENY: + if (null != owner && !client.equals(owner)) { + response.setStatus(405); return; + } + break; + case DENY: + response.setStatus(403); + return; } TransactionLegacy txn = TransactionLegacy.open(TransactionLegacy.AWSAPI_DB); // [B] Place the policy into the database over writting an existing policy @@ -394,19 +394,19 @@ public class S3BucketAction implements ServletAction { String client = UserContext.current().getCanonicalUserId(); S3PolicyContext context = new S3PolicyContext(PolicyActions.GetBucketPolicy, bucketName); switch (S3Engine.verifyPolicy(context)) { - case ALLOW: - break; - - case DEFAULT_DENY: - if (null != owner && !client.equals(owner)) { - response.setStatus(405); - return; - } - break; + case ALLOW: + break; - case DENY: - response.setStatus(403); + case DEFAULT_DENY: + if (null != owner && !client.equals(owner)) { + response.setStatus(405); return; + } + break; + + case DENY: + response.setStatus(403); + return; } // [B] Pull the policy from the database if one exists @@ -463,10 +463,9 @@ public class S3BucketAction implements ServletAction { S3ListAllMyBucketsResponse engineResponse = ServiceProvider.getInstance().getS3Engine().handleRequest(engineRequest); - // To allow the all buckets list to be serialized via Axiom classes - ListAllMyBucketsResponse allBuckets = S3SerializableServiceImplementation.toListAllMyBucketsResponse(engineResponse); + S3SerializableServiceImplementation.toListAllMyBucketsResponse(engineResponse); - OutputStream outputStream = response.getOutputStream(); + response.getOutputStream(); response.setStatus(200); response.setContentType("application/xml"); // The content-type literally should be "application/xml; charset=UTF-8" @@ -531,15 +530,14 @@ public class S3BucketAction implements ServletAction { StringBuffer xmlError = new StringBuffer(); xmlError.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>") - .append("<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message>") - .append("<BucketName>") - .append((String)request.getAttribute(S3Constants.BUCKET_ATTR_KEY)) - .append("</BucketName>") - .append("<RequestId>1DEADBEEF9</RequestId>") - // TODO - .append("<HostId>abCdeFgHiJ1k2LmN3op4q56r7st89</HostId>") - // TODO - .append("</Error>"); + .append("<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message>") + .append("<BucketName>").append(StringEscapeUtils.escapeHtml((String)request.getAttribute(S3Constants.BUCKET_ATTR_KEY))) + .append("</BucketName>") + .append("<RequestId>1DEADBEEF9</RequestId>") + // TODO + .append("<HostId>abCdeFgHiJ1k2LmN3op4q56r7st89</HostId>") + // TODO + .append("</Error>"); S3RestServlet.endResponse(response, xmlError.toString()); } @@ -603,16 +601,16 @@ public class S3BucketAction implements ServletAction { // [C] switch (sbucket.getVersioningStatus()) { - default: - case 0: - versioningStatus = ""; - break; - case 1: - versioningStatus = "Enabled"; - break; - case 2: - versioningStatus = "Suspended"; - break; + default: + case 0: + versioningStatus = ""; + break; + case 1: + versioningStatus = "Enabled"; + break; + case 2: + versioningStatus = "Suspended"; + break; } StringBuffer xml = new StringBuffer(); @@ -656,7 +654,7 @@ public class S3BucketAction implements ServletAction { if (null == versionIdMarker) xml.append("<VersionIdMarker/>"); else - xml.append("<VersionIdMarker>").append(keyMarker).append("</VersionIdMarker"); + xml.append("<VersionIdMarker>").append(StringEscapeUtils.escapeHtml(keyMarker)).append("</VersionIdMarker"); xml.append("<MaxKeys>").append(engineResponse.getMaxKeys()).append("</MaxKeys>"); xml.append("<IsTruncated>").append(engineResponse.isTruncated()).append("</IsTruncated>"); @@ -773,7 +771,7 @@ public class S3BucketAction implements ServletAction { } catch (ObjectAlreadyExistsException oaee) { response.setStatus(409); String xml = - "<?xml version=\"1.0\" encoding=\"UTF-8\"?> <Error><Code>OperationAborted</Code><Message>A conflicting conditional operation is currently in progress against this resource. Please try again..</Message>"; + "<?xml version=\"1.0\" encoding=\"UTF-8\"?> <Error><Code>OperationAborted</Code><Message>A conflicting conditional operation is currently in progress against this resource. Please try again..</Message>"; response.setContentType("text/xml; charset=UTF-8"); S3RestServlet.endResponse(response, xml.toString()); } @@ -969,7 +967,7 @@ public class S3BucketAction implements ServletAction { xml.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>"); xml.append("<ListMultipartUploadsResult xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\";>"); xml.append("<Bucket>").append(bucketName).append("</Bucket>"); - xml.append("<KeyMarker>").append((null == keyMarker ? "" : keyMarker)).append("</KeyMarker>"); + xml.append("<KeyMarker>").append((null == keyMarker ? "" : StringEscapeUtils.escapeHtml(keyMarker))).append("</KeyMarker>"); xml.append("<UploadIdMarker>").append((null == uploadIdMarker ? "" : uploadIdMarker)).append("</UploadIdMarker>"); // [C] Construct the contents of the <Upload> element @@ -1015,9 +1013,9 @@ public class S3BucketAction implements ServletAction { partsList.append("<CommonPrefixes>"); partsList.append("<Prefix>"); if (prefix != null && prefix.length() > 0) - partsList.append(prefix + delimiter + subName); + partsList.append(StringEscapeUtils.escapeHtml(prefix) + StringEscapeUtils.escapeHtml(delimiter) + StringEscapeUtils.escapeHtml(subName)); else - partsList.append(subName); + partsList.append(StringEscapeUtils.escapeHtml(subName)); partsList.append("</Prefix>"); partsList.append("</CommonPrefixes>"); }
