]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 79b6b4f)
rgw: validate x-amz-sha256
authorJavier M. Mellid <jmunhoz@igalia.com>
Thu, 15 Oct 2015 09:57:03 +0000 (11:57 +0200)
committerJavier M. Mellid <jmunhoz@igalia.com>
Sat, 13 Feb 2016 12:33:43 +0000 (12:33 +0000)
Verify content's sha256 sum matches the expected value.

Fixes: #10333
Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>
src/rgw/rgw_common.h patch | blob | history
src/rgw/rgw_http_errors.h patch | blob | history
src/rgw/rgw_rest_s3.cc patch | blob | history

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 48c4e292a9e0dcbb196a2e4c62ae09a9cdf0aeac..e540934fec489cba3114a9c446ad04d49ff85af0 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -172,6 +172,7 @@ using ceph::crypto::MD5;
 #define ERR_INVALID_TENANT_NAME  2037
 #define ERR_WEBSITE_REDIRECT     2038
 #define ERR_NO_SUCH_WEBSITE_CONFIGURATION 2039
+#define ERR_AMZ_CONTENT_SHA256_MISMATCH 2040
 #define ERR_USER_SUSPENDED       2100
 #define ERR_INTERNAL_ERROR       2200
 #define ERR_NOT_IMPLEMENTED      2201
diff --git a/src/rgw/rgw_http_errors.h b/src/rgw/rgw_http_errors.h
index 8ff290d7bed968d343268aafa05ac9fbc95914eb..c4a0724a4e861c704dc9306cd970833bbadecfe0 100644 (file)
--- a/src/rgw/rgw_http_errors.h
+++ b/src/rgw/rgw_http_errors.h
@@ -36,6 +36,7 @@ const static struct rgw_http_errors RGW_HTTP_ERRORS[] = {
     { ERR_TOO_SMALL, 400, "EntityTooSmall" },
     { ERR_TOO_MANY_BUCKETS, 400, "TooManyBuckets" },
     { ERR_MALFORMED_XML, 400, "MalformedXML" },
+    { ERR_AMZ_CONTENT_SHA256_MISMATCH, 400, "XAmzContentSHA256Mismatch" },
     { ERR_LENGTH_REQUIRED, 411, "MissingContentLength" },
     { EACCES, 403, "AccessDenied" },
     { EPERM, 403, "AccessDenied" },
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index e89d1af95499463c057e89431c112a6b62e3a406..c22de5705c9463e15c0ccce623779b3d21c67ebb 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2716,6 +2716,17 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, str
       s->aws4_auth_canonical_hdrs, s->aws4_auth_signed_hdrs, request_payload, unsigned_payload,
       canonical_req, canonical_req_hash);
 
+  /* Validate x-amz-sha256 */
+
+  if (s->aws4_auth_complete) {
+    const char *expected_request_payload_hash = s->info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (expected_request_payload_hash &&
+       s->aws4_auth_payload_hash.compare(expected_request_payload_hash) != 0) {
+      dout(10) << "ERROR: x-amz-content-sha256 does not match" << dendl;
+      return -ERR_AMZ_CONTENT_SHA256_MISMATCH;
+    }
+  }
+
   /*
    * create a string to sign
    *
Unnamed repository; edit this file 'description' to name the repository.