// vim: ts=8 sw=2 smarttab
#include <array>
+#include <algorithm>
#include <boost/utility/string_view.hpp>
#include <boost/container/static_vector.hpp>
return false;
}
-std::string extract_swift_subuser(const std::string& swift_user_name) {
+bool TempURLEngine::is_disallowed_header_present(const req_info& info) const
+{
+ static const auto headers = {
+ "HTTP_X_OBJECT_MANIFEST",
+ };
+
+ return std::any_of(std::begin(headers), std::end(headers),
+ [&info](const char* header) {
+ return info.env->exists(header);
+ });
+}
+
+std::string extract_swift_subuser(const std::string& swift_user_name)
+{
size_t pos = swift_user_name.find(':');
if (std::string::npos == pos) {
return swift_user_name;
return result_t::reject(-EPERM);
}
+ if (is_disallowed_header_present(s->info)) {
+ ldout(cct, 5) << "temp url rejected due to disallowed header" << dendl;
+ return result_t::reject(-EINVAL);
+ }
+
/* We need to verify two paths because of compliance with Swift, Tempest
* and old versions of RadosGW. The second item will have the prefix
* of Swift API entry point removed. */
RGWUserInfo& owner_info) const;
bool is_applicable(const req_state* s) const noexcept;
bool is_expired(const std::string& expires) const;
+ bool is_disallowed_header_present(const req_info& info) const;
class SignatureHelper;
class PrefixableSignatureHelper;
projects / ceph.git / commitdiff