mds: fix client root metadata validation

author John Spray <john.spray@redhat.com>

Fri, 27 Nov 2015 12:27:47 +0000 (12:27 +0000)

committer John Spray <john.spray@redhat.com>

Tue, 5 Jan 2016 14:05:04 +0000 (14:05 +0000)
author John Spray <john.spray@redhat.com>
Fri, 27 Nov 2015 12:27:47 +0000 (12:27 +0000)
committer John Spray <john.spray@redhat.com>
Tue, 5 Jan 2016 14:05:04 +0000 (14:05 +0000)
diff --git a/src/mds/Server.cc b/src/mds/Server.cc

index 62cf62f1b28022b142e60bdc48f3bfa770d377ce..82ab288f198b635035aed8c464cda2c4954fa5c5 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -284,7 +284,10 @@ void Server::handle_client_session(MClientSession *m)
      // root is actually within the caps of the session
      if (session->info.client_metadata.count("root")) {
        const auto claimed_root = session->info.client_metadata.at("root");
-      if (!session->auth_caps.path_capable(claimed_root)) {
+      // claimed_root has a leading "/" which we strip before passing
+      // into caps check
+      if (claimed_root.empty() || claimed_root[0] != '/' ||
+          !session->auth_caps.path_capable(claimed_root.substr(1))) {
          derr << __func__ << " forbidden path claimed as mount root: "
               << claimed_root << " by " << m->get_source() << dendl;
          // Tell the client we're rejecting their open
author	John Spray <john.spray@redhat.com>
	Fri, 27 Nov 2015 12:27:47 +0000 (12:27 +0000)
committer	John Spray <john.spray@redhat.com>
	Tue, 5 Jan 2016 14:05:04 +0000 (14:05 +0000)