diff options
| author | Casey Bodley <cbodley@redhat.com> | 2020-05-26 15:03:03 -0400 |
|---|---|---|
| committer | Abhishek Lekshmanan <abhishek@suse.com> | 2020-06-25 14:01:03 +0200 |
| commit | 3c36e74aa9c6b760d0fbc5c50419052d531ffdb7 (patch) | |
| tree | b8da2e1c8051fb66a49fd390d049d707a636b1e2 | |
| parent | 5c9eee5a7ad1bb8b161f33b4560d5dfc4a000b6d (diff) | |
| download | ceph-3c36e74aa9c6b760d0fbc5c50419052d531ffdb7.tar.gz | |
rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
the values in the <ExposeHeader> element are sent back to clients in a
Access-Control-Expose-Headers response header. if the values are allowed
to have newlines in them, they can be used to inject arbitrary response
headers
this issue only affects s3, which gets these values from an xml document
in swift, they're given in the request header
X-Container-Meta-Access-Control-Expose-Headers, so the value itself
cannot contain newlines
Signed-off-by: Casey Bodley <cbodley@redhat.com>
Reported-by: Adam Mohammed <amohammed@linode.com>
| -rw-r--r-- | src/rgw/rgw_cors.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index 422767f34eb..94d08f7ae3b 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) { void RGWCORSRule::format_exp_headers(string& s) { s = ""; - for(list<string>::iterator it = exposable_hdrs.begin(); - it != exposable_hdrs.end(); ++it) { - if (s.length() > 0) - s.append(","); - s.append((*it)); + for (const auto& header : exposable_hdrs) { + if (s.length() > 0) + s.append(","); + // these values are sent to clients in a 'Access-Control-Expose-Headers' + // response header, so we escape '\n' to avoid header injection + boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); } } |