d07f210741
Signed-off-by: chixinze <xmdxcxz@gmail.com> (cherry picked from commit ac0cf1417005186b4542f7e56d6815605e6d2c5c)
48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 46817f30cee60bc5df8354ab326762e7c783fe2c Mon Sep 17 00:00:00 2001
|
|
From: Casey Bodley <cbodley@redhat.com>
|
|
Date: Tue, 26 May 2020 15:03:03 -0400
|
|
Subject: [PATCH] rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader
|
|
|
|
the values in the <ExposeHeader> element are sent back to clients in a
|
|
Access-Control-Expose-Headers response header. if the values are allowed
|
|
to have newlines in them, they can be used to inject arbitrary response
|
|
headers
|
|
|
|
this issue only affects s3, which gets these values from an xml document
|
|
|
|
in swift, they're given in the request header
|
|
X-Container-Meta-Access-Control-Expose-Headers, so the value itself
|
|
cannot contain newlines
|
|
|
|
Signed-off-by: Casey Bodley <cbodley@redhat.com>
|
|
Reported-by: Adam Mohammed <amohammed@linode.com>
|
|
---
|
|
src/rgw/rgw_cors.cc | 11 ++++++-----
|
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
|
|
index 07dbab5d3e2..0b3e4f39455 100644
|
|
--- a/src/rgw/rgw_cors.cc
|
|
+++ b/src/rgw/rgw_cors.cc
|
|
@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {
|
|
|
|
void RGWCORSRule::format_exp_headers(string& s) {
|
|
s = "";
|
|
- for(list<string>::iterator it = exposable_hdrs.begin();
|
|
- it != exposable_hdrs.end(); ++it) {
|
|
- if (s.length() > 0)
|
|
- s.append(",");
|
|
- s.append((*it));
|
|
+ for (const auto& header : exposable_hdrs) {
|
|
+ if (s.length() > 0)
|
|
+ s.append(",");
|
|
+ // these values are sent to clients in a 'Access-Control-Expose-Headers'
|
|
+ // response header, so we escape '\n' to avoid header injection
|
|
+ boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
|
|
}
|
|
}
|
|
|
|
--
|
|
2.23.0
|
|
|