rgw: reject unauthenticated response-header actions

author Matt Benjamin <mbenjamin@redhat.com>

Fri, 27 Mar 2020 17:13:48 +0000 (18:13 +0100)

committer Abhishek Lekshmanan <abhishek@suse.com>

Wed, 8 Apr 2020 15:31:05 +0000 (17:31 +0200)
author Matt Benjamin <mbenjamin@redhat.com>
Fri, 27 Mar 2020 17:13:48 +0000 (18:13 +0100)
committer Abhishek Lekshmanan <abhishek@suse.com>
Wed, 8 Apr 2020 15:31:05 +0000 (17:31 +0200)
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index 18b1f8fd92dae7eec6633d3f1f97f42b4a8ecfbf..47df778ae072c917ef4d892ad3cc36915e7041a7 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -283,6 +283,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
        bool exists;
        string val = s->info.args.get(p->param, &exists);
        if (exists) {
+       /* reject unauthenticated response header manipulation, see
+        * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
+       if (s->auth.identity->is_anonymous()) {
+         return -EPERM;
+       }
         if (strcmp(p->param, "response-content-type") != 0) {
           response_attrs[p->http_attr] = val;
         } else {
author	Matt Benjamin <mbenjamin@redhat.com>
	Fri, 27 Mar 2020 17:13:48 +0000 (18:13 +0100)
committer	Abhishek Lekshmanan <abhishek@suse.com>
	Wed, 8 Apr 2020 15:31:05 +0000 (17:31 +0200)