rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader

follows up on 1524d3c to escape \r as well Fixes: CVE-2021-3524 Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com> Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)
ceph · May 11, 2021 · 763aebb · 763aebb
1 parent f44a8ae
commit 763aebb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
     if (s.length() > 0)
       s.append(",");
     // these values are sent to clients in a 'Access-Control-Expose-Headers'
-    // response header, so we escape '\n' to avoid header injection
-    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+    // response header, so we escape '\n' and '\r' to avoid header injection
+    std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+    boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
   }
 }