From 3c38ebd2e1f4d6f7f0c529aa8a9eb45c145fc7cb Mon Sep 17 00:00:00 2001
From: wangzengliang <wangzengliang2@huawei.com>
Date: Wed, 18 Oct 2023 11:24:18 +0800
Subject: [PATCH] fix CVE-2023-43040

Signed-off-by: wangzengliang <wangzengliang2@huawei.com>
(cherry picked from commit 18f048121b48d30deab35eaabc6565c5bbd90dd4)
---
 0027-fix-CVE-2023-43040.patch | 41 +++++++++++++++++++++++++++++++++++
 ceph.spec                     |  7 +++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 0027-fix-CVE-2023-43040.patch

diff --git a/0027-fix-CVE-2023-43040.patch b/0027-fix-CVE-2023-43040.patch
new file mode 100644
index 0000000..d7897e1
--- /dev/null
+++ b/0027-fix-CVE-2023-43040.patch
@@ -0,0 +1,41 @@
+From 62010cd68bb68207d51c2e373ff9a4a18a2b005c Mon Sep 17 00:00:00 2001
+From: wangzengliang <wangzengliang2@huawei.com>
+Date: Wed, 18 Oct 2023 11:18:56 +0800
+Subject: [PATCH] fix CVE-2023-43040
+
+Fixes: https://tracker.ceph.com/issues/63004
+copied-by: https://github.com/ceph/ceph/pull/53758
+signed-off-by: Joshua Baergen <jbaergen@gigitalocean.com>
+---
+ src/rgw/rgw_rest_s3.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
+index 3b07327f..4b039430 100644
+--- a/src/rgw/rgw_rest_s3.cc
++++ b/src/rgw/rgw_rest_s3.cc
+@@ -1547,10 +1547,6 @@ int RGWPostObj_ObjStore_S3::get_params()
+     return op_ret;
+   }
+ 
+-  ldout(s->cct, 20) << "adding bucket to policy env: " << s->bucket.name
+-		    << dendl;
+-  env.add_var("bucket", s->bucket.name);
+-
+   bool done;
+   do {
+     struct post_form_part part;
+@@ -1601,6 +1597,10 @@ int RGWPostObj_ObjStore_S3::get_params()
+     env.add_var(part.name, part_str);
+   } while (!done);
+ 
++  ldout(s->cct, 20) << "adding bucket to policy env: " << s->bucket.name
++		    << dendl;
++  env.add_var("bucket", s->bucket.name);
++
+   string object_str;
+   if (!part_str(parts, "key", &object_str)) {
+     err_msg = "Key not specified";
+-- 
+2.27.0
+
diff --git a/ceph.spec b/ceph.spec
index 1b26df7..cb9cfc0 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -68,7 +68,7 @@
 #################################################################################
 Name:		ceph
 Version:	12.2.8
-Release:	22
+Release:	23
 Epoch:		2
 
 # define _epoch_prefix macro which will expand to the empty string if epoch is
@@ -110,6 +110,7 @@ Patch23: 0023-common-mempool-only-fail-tests-if-sharding-is-very-b.patch
 Patch24: 0024-CVE-2021-3979.patch
 Patch25: 0025-fix-rgw-ldap-safe_read_file-can-return-0.patch
 Patch26: 0026-CVE-2021-20288.patch
+Patch27: 0027-fix-CVE-2023-43040.patch
 
 Requires:	glibc >= 2.28-66
 
@@ -1858,6 +1859,10 @@ exit 0
 
 
 %changelog
+* Wed Oct 18 2023 wangzengliang <wangzengliang2@huawei.com> - 2:12.2.8-23
+- fix CVE-2023-43040
+- sync PR #207
+
 * Mon May 23 2022 wangzengliang <wangzengliang1@huawei.com> - 2:12.2.8-22
 - 0026-CVE-2021-20288.patch