Merge pull request #35773 from theanalyst/master-rgw-cors-fixes

rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader Reviewed-By: Casey Bodley <cbodley@redhat.com> Reviewed-By: Abhishek Lekshmanan <abhishek@suse.com> Reviewed-By: Josh Durgin <jdurgin@redhat.com>
ceph · Jun 25, 2020 · ea0a337 · ea0a337
2 parents 947d82f + 1524d3c
commit ea0a337
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {
 
 void RGWCORSRule::format_exp_headers(string& s) {
   s = "";
-  for(list<string>::iterator it = exposable_hdrs.begin();
-      it != exposable_hdrs.end(); ++it) {
-      if (s.length() > 0)
-        s.append(",");
-      s.append((*it));
+  for (const auto& header : exposable_hdrs) {
+    if (s.length() > 0)
+      s.append(",");
+    // these values are sent to clients in a 'Access-Control-Expose-Headers'
+    // response header, so we escape '\n' to avoid header injection
+    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
   }
 }