diff options
author | Abhishek L <abhishek@suse.com> | 2020-06-25 19:42:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-25 19:42:22 +0200 |
commit | 2b621ce6422f212ec92f8aa9e6917d916275c0be (patch) | |
tree | b8da2e1c8051fb66a49fd390d049d707a636b1e2 | |
parent | 5c9eee5a7ad1bb8b161f33b4560d5dfc4a000b6d (diff) | |
parent | 3c36e74aa9c6b760d0fbc5c50419052d531ffdb7 (diff) | |
download | ceph-2b621ce6422f212ec92f8aa9e6917d916275c0be.tar.gz |
Merge pull request #35774 from theanalyst/octopus-rgw-cors-fixes
octopus: rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
Reviewed-By: Josh Durgin <jdurgin@redhat.com>
Reviewed-By: Abhishek Lekshmanan <abhishek@suse.com>
-rw-r--r-- | src/rgw/rgw_cors.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index 422767f34eb..94d08f7ae3b 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) { void RGWCORSRule::format_exp_headers(string& s) { s = ""; - for(list<string>::iterator it = exposable_hdrs.begin(); - it != exposable_hdrs.end(); ++it) { - if (s.length() > 0) - s.append(","); - s.append((*it)); + for (const auto& header : exposable_hdrs) { + if (s.length() > 0) + s.append(","); + // these values are sent to clients in a 'Access-Control-Expose-Headers' + // response header, so we escape '\n' to avoid header injection + boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); } } |