]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 157b278)
rgw: sanitize customer encryption keys from log output in v4 auth 26003/head
authorCasey Bodley <cbodley@redhat.com>
Mon, 10 Dec 2018 17:38:01 +0000 (12:38 -0500)
committerNathan Cutler <ncutler@suse.com>
Thu, 17 Jan 2019 11:49:10 +0000 (12:49 +0100)
Fixes: http://tracker.ceph.com/issues/37847
CVE-2018-16889

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 000797941fd303c3adc24f0089aeee0e902da205)

src/rgw/rgw_auth_s3.cc patch | blob | history
src/rgw/rgw_rest_s3.cc patch | blob | history

diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index f4bd2522c9f427fdf4e5181dc6df05bfd081cf88..9c2f38012f38b838d4a212c84297edc8dc28eff7 100644 (file)
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -655,7 +655,8 @@ get_v4_canon_req_hash(CephContext* cct,
 
   const auto canonical_req_hash = calc_hash_sha256(canonical_req);
 
-  ldout(cct, 10) << "canonical request = " << canonical_req << dendl;
+  using sanitize = rgw::crypt_sanitize::log_content;
+  ldout(cct, 10) << "canonical request = " << sanitize{canonical_req} << dendl;
   ldout(cct, 10) << "canonical request hash = "
                  << buf_to_hex(canonical_req_hash).data() << dendl;
 
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 67d0712f1f1b37b6339862fbff96f526ada2a2ce..d3e199a9f381ff69722c6e11b3a22939d1d06e6c 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3808,8 +3808,9 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s,
   boost::optional<std::string> canonical_headers = \
     get_v4_canonical_headers(s->info, signed_hdrs, using_qs);
   if (canonical_headers) {
-    ldout(s->cct, 10) << "canonical headers format = " << *canonical_headers
-                      << dendl;
+    using sanitize = rgw::crypt_sanitize::log_content;
+    ldout(s->cct, 10) << "canonical headers format = "
+                      << sanitize{*canonical_headers} << dendl;
   } else {
     throw -EPERM;
   }
Unnamed repository; edit this file 'description' to name the repository.