swift 2.23.2__py3-none-any.whl → 2.35.0__py3-none-any.whl

swift/common/middleware/bulk.py

@@ -195,9 +195,8 @@ payload sent to the proxy (the list of objects/containers to be deleted).
 """
 
 import json
-import six
 import tarfile
-from xml.sax import saxutils
+from xml.sax.saxutils import escape  # nosec B406
 from time import time
 from eventlet import sleep
 import zlib
@@ -206,8 +205,8 @@ from swift.common.swob import Request, HTTPBadGateway, \
     HTTPPreconditionFailed, HTTPRequestEntityTooLarge, HTTPNotAcceptable, \
     HTTPLengthRequired, HTTPException, HTTPServerError, wsgify, \
     bytes_to_wsgi, str_to_wsgi, wsgi_unquote, wsgi_quote, wsgi_to_str
-from swift.common.utils import get_logger, register_swift_info, \
-    StreamingPile
+from swift.common.utils import get_logger, StreamingPile
+from swift.common.registry import register_swift_info
 from swift.common import constraints
 from swift.common.http import HTTP_UNAUTHORIZED, HTTP_NOT_FOUND, HTTP_CONFLICT
 from swift.common.request_helpers import is_user_meta
@@ -247,18 +246,16 @@ def get_response_body(data_format, data_dict, error_list, root_tag):
             xml_key = key.replace(' ', '_').lower()
             output.extend([
                 '<', xml_key, '>',
-                saxutils.escape(str(data_dict[key])),
+                escape(str(data_dict[key])),
                 '</', xml_key, '>\n',
             ])
         output.append('<errors>\n')
         for name, status in error_list:
             output.extend([
-                '<object><name>', saxutils.escape(name), '</name><status>',
-                saxutils.escape(status), '</status></object>\n',
+                '<object><name>', escape(name), '</name><status>',
+                escape(status), '</status></object>\n',
             ])
         output.extend(['</errors>\n</', root_tag, '>\n'])
-        if six.PY2:
-            return ''.join(output)
         return ''.join(output).encode('utf-8')
 
     output = []
@@ -268,8 +265,6 @@ def get_response_body(data_format, data_dict, error_list, root_tag):
     output.extend(
         '%s, %s\n' % (name, status)
         for name, status in error_list)
-    if six.PY2:
-        return ''.join(output)
     return ''.join(output).encode('utf-8')
 
 
@@ -279,13 +274,9 @@ def pax_key_to_swift_header(pax_key):
         return "Content-Type"
     elif pax_key.startswith(u"SCHILY.xattr.user.meta."):
         useful_part = pax_key[len(u"SCHILY.xattr.user.meta."):]
-        if six.PY2:
-            return "X-Object-Meta-" + useful_part.encode("utf-8")
         return str_to_wsgi("X-Object-Meta-" + useful_part)
     elif pax_key.startswith(u"LIBARCHIVE.xattr.user.meta."):
         useful_part = pax_key[len(u"LIBARCHIVE.xattr.user.meta."):]
-        if six.PY2:
-            return "X-Object-Meta-" + useful_part.encode("utf-8")
         return str_to_wsgi("X-Object-Meta-" + useful_part)
     else:
         # You can get things like atime/mtime/ctime or filesystem ACLs in
@@ -357,15 +348,12 @@ class Bulk(object):
         while data_remaining:
             if b'\n' in line:
                 obj_to_delete, line = line.split(b'\n', 1)
-                if six.PY2:
-                    obj_to_delete = wsgi_unquote(obj_to_delete.strip())
-                else:
-                    # yeah, all this chaining is pretty terrible...
-                    # but it gets even worse trying to use UTF-8 and
-                    # errors='surrogateescape' when dealing with terrible
-                    # input like b'\xe2%98\x83'
-                    obj_to_delete = wsgi_to_str(wsgi_unquote(
-                        bytes_to_wsgi(obj_to_delete.strip())))
+                # yeah, all this chaining is pretty terrible...
+                # but it gets even worse trying to use UTF-8 and
+                # errors='surrogateescape' when dealing with terrible
+                # input like b'\xe2%98\x83'
+                obj_to_delete = wsgi_to_str(wsgi_unquote(
+                    bytes_to_wsgi(obj_to_delete.strip())))
                 objs_to_delete.append({'name': obj_to_delete})
             else:
                 data = req.body_file.read(self.max_path_length)
@@ -373,11 +361,8 @@ class Bulk(object):
                     line += data
                 else:
                     data_remaining = False
-                    if six.PY2:
-                        obj_to_delete = wsgi_unquote(line.strip())
-                    else:
-                        obj_to_delete = wsgi_to_str(wsgi_unquote(
-                            bytes_to_wsgi(line.strip())))
+                    obj_to_delete = wsgi_to_str(wsgi_unquote(
+                        bytes_to_wsgi(line.strip())))
                     if obj_to_delete:
                         objs_to_delete.append({'name': obj_to_delete})
             if len(objs_to_delete) > self.max_deletes_per_request:
@@ -457,7 +442,8 @@ class Bulk(object):
                         failed_files.append([wsgi_quote(str_to_wsgi(obj_name)),
                                              HTTPPreconditionFailed().status])
                         continue
-                    yield (obj_name, delete_path)
+                    yield (obj_name, delete_path,
+                           obj_to_delete.get('version_id'))
 
             def objs_then_containers(objs_to_delete):
                 # process all objects first
@@ -467,13 +453,17 @@ class Bulk(object):
                 yield delete_filter(lambda name: '/' not in name.strip('/'),
                                     objs_to_delete)
 
-            def do_delete(obj_name, delete_path):
+            def do_delete(obj_name, delete_path, version_id):
                 delete_obj_req = make_subrequest(
                     req.environ, method='DELETE',
                     path=wsgi_quote(str_to_wsgi(delete_path)),
                     headers={'X-Auth-Token': req.headers.get('X-Auth-Token')},
                     body='', agent='%(orig)s ' + user_agent,
                     swift_source=swift_source)
+                if version_id is None:
+                    delete_obj_req.params = {}
+                else:
+                    delete_obj_req.params = {'version-id': version_id}
                 return (delete_obj_req.get_response(self.app), obj_name, 0)
 
             with StreamingPile(self.delete_concurrency) as pile:
@@ -572,9 +562,7 @@ class Bulk(object):
                         len(failed_files) >= self.max_failed_extractions:
                     break
                 if tar_info.isfile():
-                    obj_path = tar_info.name
-                    if not six.PY2:
-                        obj_path = obj_path.encode('utf-8', 'surrogateescape')
+                    obj_path = tar_info.name.encode('utf-8', 'surrogateescape')
                     obj_path = bytes_to_wsgi(obj_path)
                     if obj_path.startswith('./'):
                         obj_path = obj_path[2:]

swift/common/middleware/catch_errors.py

@@ -13,8 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from swift import gettext_ as _
-
 from swift.common.swob import Request, HTTPServerError
 from swift.common.utils import get_logger, generate_trans_id, close_if_possible
 from swift.common.wsgi import WSGIContext
@@ -74,7 +72,7 @@ class CatchErrorsContext(WSGIContext):
             # catch any errors in the pipeline
             resp = self._app_call(env)
         except:  # noqa
-            self.logger.exception(_('Error: An error occurred'))
+            self.logger.exception('Error: An error occurred')
             resp = HTTPServerError(request=Request(env),
                                    body=b'An error occurred',
                                    content_type='text/plain')

swift/common/middleware/cname_lookup.py

@@ -27,10 +27,6 @@ maximum lookup depth. If a match is found, the environment's Host header is
 rewritten and the request is passed further down the WSGI chain.
 """
 
-import six
-
-from swift import gettext_ as _
-
 try:
     import dns.resolver
     import dns.exception
@@ -44,7 +40,8 @@ from swift.common.middleware import RewriteContext
 from swift.common.swob import Request, HTTPBadRequest, \
     str_to_wsgi, wsgi_to_str
 from swift.common.utils import cache_from_env, get_logger, is_valid_ip, \
-    list_from_csv, parse_socket_string, register_swift_info
+    list_from_csv, parse_socket_string
+from swift.common.registry import register_swift_info
 
 
 def lookup_cname(domain, resolver):  # pragma: no cover
@@ -59,7 +56,7 @@ def lookup_cname(domain, resolver):  # pragma: no cover
     try:
         answer = resolver.query(domain, 'CNAME').rrset
         ttl = answer.ttl
-        result = answer.items[0].to_text()
+        result = list(answer.items)[0].to_text()
         result = result.rstrip('.')
         return ttl, result
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
@@ -150,8 +147,6 @@ class CNAMELookupMiddleware(object):
                 if self.memcache:
                     memcache_key = ''.join(['cname-', a_domain])
                     found_domain = self.memcache.get(memcache_key)
-                    if six.PY2 and found_domain:
-                        found_domain = found_domain.encode('utf-8')
                 if found_domain is None:
                     ttl, found_domain = lookup_cname(a_domain, self.resolver)
                     if self.memcache and ttl > 0:
@@ -166,7 +161,7 @@ class CNAMELookupMiddleware(object):
                 elif self._domain_endswith_in_storage_domain(found_domain):
                     # Found it!
                     self.logger.info(
-                        _('Mapped %(given_domain)s to %(found_domain)s') %
+                        'Mapped %(given_domain)s to %(found_domain)s',
                         {'given_domain': given_domain,
                          'found_domain': found_domain})
                     if port:
@@ -179,8 +174,8 @@ class CNAMELookupMiddleware(object):
                 else:
                     # try one more deep in the chain
                     self.logger.debug(
-                        _('Following CNAME chain for  '
-                          '%(given_domain)s to %(found_domain)s') %
+                        'Following CNAME chain for  '
+                        '%(given_domain)s to %(found_domain)s',
                         {'given_domain': given_domain,
                          'found_domain': found_domain})
                     a_domain = found_domain

swift/common/middleware/container_quotas.py

@@ -54,7 +54,7 @@ For example::
 from swift.common.http import is_success
 from swift.common.swob import HTTPRequestEntityTooLarge, HTTPBadRequest, \
     wsgify
-from swift.common.utils import register_swift_info
+from swift.common.registry import register_swift_info
 from swift.proxy.controllers.base import get_container_info
 
 

swift/common/middleware/container_sync.py

@@ -15,11 +15,14 @@
 
 import os
 
+from swift.common.constraints import valid_api_version
 from swift.common.container_sync_realms import ContainerSyncRealms
+from swift.common.request_helpers import append_log_info
 from swift.common.swob import HTTPBadRequest, HTTPUnauthorized, wsgify
 from swift.common.utils import (
-    config_true_value, get_logger, register_swift_info, streq_const_time)
+    config_true_value, get_logger, streq_const_time)
 from swift.proxy.controllers.base import get_container_info
+from swift.common.registry import register_swift_info
 
 
 class ContainerSync(object):
@@ -67,8 +70,35 @@ class ContainerSync(object):
 
     @wsgify
     def __call__(self, req):
+        if req.path == '/info':
+            # Ensure /info requests get the freshest results
+            self.register_info()
+            return self.app
+
+        try:
+            (version, acc, cont, obj) = req.split_path(3, 4, True)
+            bad_path = False
+        except ValueError:
+            bad_path = True
+
+        # use of bad_path bool is to avoid recursive tracebacks
+        if bad_path or not valid_api_version(version):
+            return self.app
+
+        # validate container-sync metdata update
+        info = get_container_info(
+            req.environ, self.app, swift_source='CS')
+        sync_to = req.headers.get('x-container-sync-to')
+        if req.method in ('PUT', 'POST') and cont and not obj:
+            versions_cont = info.get(
+                'sysmeta', {}).get('versions-container')
+            if sync_to and versions_cont:
+                raise HTTPBadRequest(
+                    'Cannot configure container sync on a container '
+                    'with object versioning configured.',
+                    request=req)
+
         if not self.allow_full_urls:
-            sync_to = req.headers.get('x-container-sync-to')
             if sync_to and not sync_to.startswith('//'):
                 raise HTTPBadRequest(
                     body='Full URLs are not allowed for X-Container-Sync-To '
@@ -80,22 +110,17 @@ class ContainerSync(object):
             valid = False
             auth = auth.split()
             if len(auth) != 3:
-                req.environ.setdefault('swift.log_info', []).append(
-                    'cs:not-3-args')
+                append_log_info(req.environ, 'cs:not-3-args')
             else:
                 realm, nonce, sig = auth
                 realm_key = self.realms_conf.key(realm)
                 realm_key2 = self.realms_conf.key2(realm)
                 if not realm_key:
-                    req.environ.setdefault('swift.log_info', []).append(
-                        'cs:no-local-realm-key')
+                    append_log_info(req.environ, 'cs:no-local-realm-key')
                 else:
-                    info = get_container_info(
-                        req.environ, self.app, swift_source='CS')
                     user_key = info.get('sync_key')
                     if not user_key:
-                        req.environ.setdefault('swift.log_info', []).append(
-                            'cs:no-local-user-key')
+                        append_log_info(req.environ, 'cs:no-local-user-key')
                     else:
                         # x-timestamp headers get shunted by gatekeeper
                         if 'x-backend-inbound-x-timestamp' in req.headers:
@@ -112,11 +137,9 @@ class ContainerSync(object):
                             realm_key2, user_key) if realm_key2 else expected
                         if not streq_const_time(sig, expected) and \
                                 not streq_const_time(sig, expected2):
-                            req.environ.setdefault(
-                                'swift.log_info', []).append('cs:invalid-sig')
+                            append_log_info(req.environ, 'cs:invalid-sig')
                         else:
-                            req.environ.setdefault(
-                                'swift.log_info', []).append('cs:valid')
+                            append_log_info(req.environ, 'cs:valid')
                             valid = True
             if not valid:
                 exc = HTTPUnauthorized(
@@ -134,10 +157,9 @@ class ContainerSync(object):
                 # syntax and might be synced before its segments, so stop SLO
                 # middleware from performing the usual manifest validation.
                 req.environ['swift.slo_override'] = True
+                # Similar arguments for static symlinks
+                req.environ['swift.symlink_override'] = True
 
-        if req.path == '/info':
-            # Ensure /info requests get the freshest results
-            self.register_info()
         return self.app
 
 

swift/common/middleware/copy.py

@@ -319,6 +319,9 @@ class ServerSideCopyMiddleware(object):
         if 'last-modified' in source_resp.headers:
             resp_headers['X-Copied-From-Last-Modified'] = \
                 source_resp.headers['last-modified']
+        if 'X-Object-Version-Id' in source_resp.headers:
+            resp_headers['X-Copied-From-Version-Id'] = \
+                source_resp.headers['X-Object-Version-Id']
         # Existing sys and user meta of source object is added to response
         # headers in addition to the new ones.
         _copy_headers(sink_req.headers, resp_headers)
@@ -374,6 +377,8 @@ class ServerSideCopyMiddleware(object):
             sink_req.headers.update(req.headers)
 
         params = sink_req.params
+        params_updated = False
+
         if params.get('multipart-manifest') == 'get':
             if 'X-Static-Large-Object' in source_resp.headers:
                 params['multipart-manifest'] = 'put'
@@ -381,6 +386,13 @@ class ServerSideCopyMiddleware(object):
                 del params['multipart-manifest']
                 sink_req.headers['X-Object-Manifest'] = \
                     source_resp.headers['X-Object-Manifest']
+            params_updated = True
+
+        if 'version-id' in params:
+            del params['version-id']
+            params_updated = True
+
+        if params_updated:
             sink_req.params = params
 
         # Set swift.source, data source, content length and etag

swift/common/middleware/crossdomain.py

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 from swift.common.swob import Request, Response
-from swift.common.utils import register_swift_info
+from swift.common.registry import register_swift_info
 
 
 class CrossDomainMiddleware(object):
@@ -23,20 +23,24 @@ class CrossDomainMiddleware(object):
     Cross domain middleware used to respond to requests for cross domain
     policy information.
 
-    If the path is /crossdomain.xml it will respond with an xml cross domain
-    policy document. This allows web pages hosted elsewhere to use client
-    side technologies such as Flash, Java and Silverlight to interact
+    If the path is ``/crossdomain.xml`` it will respond with an xml cross
+    domain policy document. This allows web pages hosted elsewhere to use
+    client side technologies such as Flash, Java and Silverlight to interact
     with the Swift API.
 
     To enable this middleware, add it to the pipeline in your proxy-server.conf
     file. It should be added before any authentication (e.g., tempauth or
     keystone) middleware. In this example ellipsis (...) indicate other
-    middleware you may have chosen to use::
+    middleware you may have chosen to use:
+
+    .. code:: cfg
 
         [pipeline:main]
         pipeline =  ... crossdomain ... authtoken ... proxy-server
 
-    And add a filter section, such as::
+    And add a filter section, such as:
+
+    .. code:: cfg
 
         [filter:crossdomain]
         use = egg:swift#crossdomain
@@ -45,13 +49,22 @@ class CrossDomainMiddleware(object):
 
     For continuation lines, put some whitespace before the continuation
     text. Ensure you put a completely blank line to terminate the
-    cross_domain_policy value.
+    ``cross_domain_policy`` value.
+
+    The ``cross_domain_policy`` name/value is optional. If omitted, the policy
+    defaults as if you had specified:
 
-    The cross_domain_policy name/value is optional. If omitted, the policy
-    defaults as if you had specified::
+    .. code:: cfg
 
         cross_domain_policy = <allow-access-from domain="*" secure="false" />
 
+    .. note::
+
+       The default policy is very permissive; this is appropriate
+       for most public cloud deployments, but may not be appropriate
+       for all deployments. See also:
+       `CWE-942 <https://cwe.mitre.org/data/definitions/942.html>`__
+
 
     """
 

swift/common/middleware/crypto/__init__.py

@@ -20,7 +20,8 @@ instance of an :class:`~swift.common.middleware.crypto.encrypter.Encrypter`.
 from swift.common.middleware.crypto.decrypter import Decrypter
 from swift.common.middleware.crypto.encrypter import Encrypter
 
-from swift.common.utils import config_true_value, register_swift_info
+from swift.common.utils import config_true_value
+from swift.common.registry import register_swift_info
 
 
 def filter_factory(global_conf, **local_conf):

swift/common/middleware/crypto/crypto_utils.py

@@ -14,21 +14,17 @@
 # limitations under the License.
 import base64
 import binascii
-import collections
 import json
 import os
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-import six
-from six.moves.urllib import parse as urlparse
+import urllib.parse
 
-from swift import gettext_ as _
 from swift.common.exceptions import EncryptionException, UnknownSecretIdError
 from swift.common.swob import HTTPInternalServerError
-from swift.common.utils import get_logger
+from swift.common.utils import get_logger, parse_header
 from swift.common.wsgi import WSGIContext
-from cgi import parse_header
 
 CRYPTO_KEY_CALLBACK = 'swift.callback.fetch_crypto_keys'
 
@@ -161,7 +157,7 @@ class CryptoWSGIContext(WSGIContext):
         try:
             fetch_crypto_keys = env[CRYPTO_KEY_CALLBACK]
         except KeyError:
-            self.logger.exception(_('ERROR get_keys() missing callback'))
+            self.logger.exception('ERROR get_keys() missing callback')
             raise HTTPInternalServerError(
                 "Unable to retrieve encryption keys.")
 
@@ -182,12 +178,12 @@ class CryptoWSGIContext(WSGIContext):
                 self.crypto.check_key(key)
                 continue
             except KeyError:
-                self.logger.exception(_("Missing key for %r") % name)
+                self.logger.exception("Missing key for %r", name)
             except TypeError:
-                self.logger.exception(_("Did not get a keys dict"))
+                self.logger.exception("Did not get a keys dict")
             except ValueError as e:
                 # don't include the key in any messages!
-                self.logger.exception(_("Bad key for %(name)r: %(err)s") %
+                self.logger.exception("Bad key for %(name)r: %(err)s",
                                       {'name': name, 'err': e})
             raise HTTPInternalServerError(
                 "Unable to retrieve encryption keys.")
@@ -227,7 +223,7 @@ def dump_crypto_meta(crypto_meta):
             for name, value in crypto_meta.items()}
 
     # use sort_keys=True to make serialized form predictable for testing
-    return urlparse.quote_plus(
+    return urllib.parse.quote_plus(
         json.dumps(b64_encode_meta(crypto_meta), sort_keys=True))
 
 
@@ -253,14 +249,14 @@ def load_crypto_meta(value, b64decode=True):
             str(name): (
                 base64.b64decode(val) if name in ('iv', 'key') and b64decode
                 else b64_decode_meta(val) if isinstance(val, dict)
-                else val.encode('utf8') if six.PY2 else val)
+                else val)
             for name, val in crypto_meta.items()}
 
     try:
-        if not isinstance(value, six.string_types):
+        if not isinstance(value, str):
             raise ValueError('crypto meta not a string')
-        val = json.loads(urlparse.unquote_plus(value))
-        if not isinstance(val, collections.Mapping):
+        val = json.loads(urllib.parse.unquote_plus(value))
+        if not isinstance(val, dict):
             raise ValueError('crypto meta not a Mapping')
         return b64_decode_meta(val)
     except (KeyError, ValueError, TypeError) as err:

swift/common/middleware/crypto/decrypter.py

@@ -16,7 +16,6 @@
 import base64
 import json
 
-from swift import gettext_ as _
 from swift.common.header_key_dict import HeaderKeyDict
 from swift.common.http import is_success
 from swift.common.middleware.crypto.crypto_utils import CryptoWSGIContext, \
@@ -77,10 +76,10 @@ class BaseDecrypterContext(CryptoWSGIContext):
                                           crypto_meta['body_key'])
         except KeyError as err:
             self.logger.error(
-                _('Error decrypting %(resp_type)s: Missing %(key)s'),
+                'Error decrypting %(resp_type)s: Missing %(key)s',
                 {'resp_type': self.server_type, 'key': err})
         except ValueError as err:
-            self.logger.error(_('Error decrypting %(resp_type)s: %(reason)s'),
+            self.logger.error('Error decrypting %(resp_type)s: %(reason)s',
                               {'resp_type': self.server_type, 'reason': err})
         raise HTTPInternalServerError(
             body='Error decrypting %s' % self.server_type,
@@ -92,7 +91,7 @@ class BaseDecrypterContext(CryptoWSGIContext):
         the value itself, otherwise return the value unmodified.
 
         A value should either be a string that does not contain the ';'
-        character or should be of the form:
+        character or should be of the form::
 
             <base64-encoded ciphertext>;swift_meta=<crypto meta>
 
@@ -178,7 +177,7 @@ class DecrypterObjContext(BaseDecrypterContext):
                 value, key, required, bytes_to_wsgi)
         except EncryptionException as err:
             self.logger.error(
-                _("Error decrypting header %(header)s: %(error)s"),
+                "Error decrypting header %(header)s: %(error)s",
                 {'header': header, 'error': err})
             raise HTTPInternalServerError(
                 body='Error decrypting header',
@@ -197,7 +196,7 @@ class DecrypterObjContext(BaseDecrypterContext):
                 result.append((new_prefix + short_name, decrypted_value))
         return result
 
-    def decrypt_resp_headers(self, put_keys, post_keys):
+    def decrypt_resp_headers(self, put_keys, post_keys, update_cors_exposed):
         """
         Find encrypted headers and replace with the decrypted versions.
 
@@ -236,11 +235,27 @@ class DecrypterObjContext(BaseDecrypterContext):
         # that map to the same x-object-meta- header names i.e. decrypted
         # headers win over unexpected, unencrypted headers.
         if post_keys:
-            mod_hdr_pairs.extend(self.decrypt_user_metadata(post_keys))
+            decrypted_meta = self.decrypt_user_metadata(post_keys)
+            mod_hdr_pairs.extend(decrypted_meta)
+        else:
+            decrypted_meta = []
 
         mod_hdr_names = {h.lower() for h, v in mod_hdr_pairs}
-        mod_hdr_pairs.extend([(h, v) for h, v in self._response_headers
-                              if h.lower() not in mod_hdr_names])
+
+        found_aceh = False
+        for header, value in self._response_headers:
+            lheader = header.lower()
+            if lheader in mod_hdr_names:
+                continue
+            if lheader == 'access-control-expose-headers':
+                found_aceh = True
+                mod_hdr_pairs.append((header, value + ', ' + ', '.join(
+                    meta.lower() for meta, _data in decrypted_meta)))
+            else:
+                mod_hdr_pairs.append((header, value))
+        if update_cors_exposed and not found_aceh:
+            mod_hdr_pairs.append(('Access-Control-Expose-Headers', ', '.join(
+                meta.lower() for meta, _data in decrypted_meta)))
         return mod_hdr_pairs
 
     def multipart_response_iter(self, resp, boundary, body_key, crypto_meta):
@@ -297,7 +312,7 @@ class DecrypterObjContext(BaseDecrypterContext):
             try:
                 crypto_meta = self.get_crypto_meta(header, check)
             except EncryptionException as err:
-                self.logger.error(_('Error decrypting object: %s'), err)
+                self.logger.error('Error decrypting object: %s', err)
                 raise HTTPInternalServerError(
                     body='Error decrypting object', content_type='text/plain')
         return crypto_meta
@@ -326,7 +341,9 @@ class DecrypterObjContext(BaseDecrypterContext):
                            self._response_exc_info)
             return app_resp
 
-        mod_resp_headers = self.decrypt_resp_headers(put_keys, post_keys)
+        mod_resp_headers = self.decrypt_resp_headers(
+            put_keys, post_keys,
+            update_cors_exposed=bool(req.headers.get('origin')))
 
         if put_crypto_meta and req.method == 'GET' and \
                 is_success(self._get_status_int()):