New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: sanitize the HTTP_* http header elements #29814
Conversation
src/rgw/rgw_civetweb.cc
Outdated
@@ -129,7 +129,14 @@ int RGWCivetWeb::init_env(CephContext *cct) | |||
} | |||
*dest = '\0'; | |||
|
|||
env.set(buf, value); | |||
string sanitized_value = value; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this works, but should we be considering the entire header? I mean, the reported issue is just extra data at the end
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, pushed a change that moves the sanitization to top of the header elements processing loop to cover all the header elements.
a09ef27
to
e207a4b
Compare
to remove trailing <CR> and <LF> characters which can cause swift requests to fail authentication when present in the HTTP_X_AUTH_TOKEN in addition will clean also the following headers for example: HTTP_HOST HTTP_USER_AGENT HTTP_ACCEPT Fixes: https://tracker.ceph.com/issues/41376 Signed-off-by: Mark Kogan <mkogan@redhat.com>
e207a4b
to
f8295db
Compare
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
please unstale.... |
@mkogan1 what else needs to be done here? |
@cbodley will add a ceph.conf option to disable by default |
@@ -101,7 +101,13 @@ int RGWCivetWeb::init_env(CephContext *cct) | |||
} | |||
|
|||
const boost::string_ref name(header->name); | |||
const auto& value = header->value; | |||
string value = header->value; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why copy to "value"?
can you modify in place (use: auto& value = header->value
)?
ping @mkogan1 |
after further discussion, since this can only apply to civetweb, i don't think it's worth adding this workaround for buggy clients |
to remove trailing
<CR>
and<LF>
characterswhich can cause swift requests to fail authentication
when present in the HTTP_X_AUTH_TOKEN
in addition, will sanitize also the following headers for example:
HTTP_HOST
HTTP_USER_AGENT
HTTP_ACCEPT
Fixes: https://tracker.ceph.com/issues/41376
Signed-off-by: Mark Kogan mkogan@redhat.com
Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test docs
jenkins render docs