d07f210741
Signed-off-by: chixinze <xmdxcxz@gmail.com> (cherry picked from commit ac0cf1417005186b4542f7e56d6815605e6d2c5c)
32 lines
1.1 KiB
Diff
32 lines
1.1 KiB
Diff
From ba0790a01ba5252db1ebc299db6e12cd758d0ff9 Mon Sep 17 00:00:00 2001
|
|
From: Matt Benjamin <mbenjamin@redhat.com>
|
|
Date: Fri, 27 Mar 2020 18:13:48 +0100
|
|
Subject: [PATCH] rgw: reject unauthenticated response-header actions
|
|
|
|
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
|
|
Reviewed-by: Casey Bodley <cbodley@redhat.com>
|
|
(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)
|
|
---
|
|
src/rgw/rgw_rest_s3.cc | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
|
|
index b0e36dec5d8..5dc6a562051 100644
|
|
--- a/src/rgw/rgw_rest_s3.cc
|
|
+++ b/src/rgw/rgw_rest_s3.cc
|
|
@@ -266,6 +266,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
|
|
bool exists;
|
|
string val = s->info.args.get(p->param, &exists);
|
|
if (exists) {
|
|
+ /* reject unauthenticated response header manipulation, see
|
|
+ * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
|
|
+ if (s->auth.identity->is_anonymous()) {
|
|
+ return -EPERM;
|
|
+ }
|
|
if (strcmp(p->param, "response-content-type") != 0) {
|
|
response_attrs[p->http_attr] = val;
|
|
} else {
|
|
--
|
|
2.23.0
|
|
|