]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
rgw: don't allow negative / invalid content length 4829/head
authorYehuda Sadeh <yehuda@redhat.com>
Fri, 1 Aug 2014 23:15:36 +0000 (16:15 -0700)
committerOrit Wasserman <owasserm@redhat.com>
Tue, 2 Jun 2015 15:54:49 +0000 (17:54 +0200)
Certain frontends (e.g., civetweb) don't filter such requests.

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
(cherry picked from commit 0e74b7a1d56733358e2f1d3df4386125a94c2966)

src/rgw/rgw_common.h
src/rgw/rgw_op.cc
src/rgw/rgw_rest.cc

index 975bb9dbc63dffb0e6c6b3c55e33ca8e1b007c3d..62c357998103905a108cea2ff7efe8a00c861490 100644 (file)
@@ -863,7 +863,7 @@ struct req_state {
    string decoded_uri;
    string relative_uri;
    const char *length;
-   uint64_t content_length;
+   int64_t content_length;
    map<string, string> generic_attrs;
    struct rgw_err err;
    bool expect_cont;
index cc557d8b5d5e80d9947405a5c6709916d9252644..ec647778945f07f45c331ddf2eb8ed1480477536 100644 (file)
@@ -1670,7 +1670,7 @@ void RGWPutObj::execute()
     ofs += len;
   } while (len > 0);
 
-  if (!chunked_upload && (uint64_t)ofs != s->content_length) {
+  if (!chunked_upload && ofs != s->content_length) {
     ret = -ERR_REQUEST_TIMEOUT;
     goto done;
   }
index a907decf063d5ed4a994a50d9d2a9ac369f5f9fa..768ca09a476f71091c51a244be0cea06883c7043 100644 (file)
@@ -1240,10 +1240,21 @@ int RGWREST::preprocess(struct req_state *s, RGWClientIO *cio)
   url_decode(s->info.request_uri, s->decoded_uri);
   s->length = info.env->get("CONTENT_LENGTH");
   if (s->length) {
-    if (*s->length == '\0')
+    if (*s->length == '\0') {
       s->content_length = 0;
-    else
-      s->content_length = atoll(s->length);
+    } else {
+      string err;
+      s->content_length = strict_strtol(s->length, 10, &err);
+      if (!err.empty()) {
+        ldout(s->cct, 10) << "bad content length, aborting" << dendl;
+        return -EINVAL;
+      }
+    }
+  }
+
+  if (s->content_length < 0) {
+    ldout(s->cct, 10) << "negative content length, aborting" << dendl;
+    return -EINVAL;
   }
 
   map<string, string>::iterator giter;