rgw: sanitize the HTTP_* http header elements

[mkogan1]

to remove trailing <CR> and <LF> characters
which can cause swift requests to fail authentication
when present in the HTTP_X_AUTH_TOKEN

in addition, will sanitize also the following headers for example:
HTTP_HOST
HTTP_USER_AGENT
HTTP_ACCEPT

Fixes: https://tracker.ceph.com/issues/41376

Signed-off-by: Mark Kogan mkogan@redhat.com

Checklist

• References tracker ticket
• Updates documentation if necessary
• Includes tests for new functionality or reproducer for bug

---

Show available Jenkins commands

• jenkins retest this please
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test docs
• jenkins render docs

[mattbenjamin]

this works, but should we be considering the entire header? I mean, the reported issue is just extra data at the end

[mkogan1]

yes, pushed a change that moves the sanitization to top of the header elements processing loop to cover all the header elements.

[stale]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[mkogan1]

please unstale....

[cbodley]

@mkogan1 what else needs to be done here?

[mkogan1]

@cbodley will add a ceph.conf option to disable by default

[yuvalif]

why copy to "value"?
can you modify in place (use: auto& value = header->value)?

[cbodley]

ping @mkogan1

[cbodley]

after further discussion, since this can only apply to civetweb, i don't think it's worth adding this workaround for buggy clients