From: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Fri, 28 Jul 2017 14:37:07 +0000 (-0400)
Subject: rgw: TempURL should not allow PUTs with the X-Object-Manifest.
X-Git-Tag: v15.1.0~2588^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=40e602bc3866598952eb0dd68ecec947dd7b70d6;p=ceph.git

rgw: TempURL should not allow PUTs with the X-Object-Manifest.

Fixes: http://tracker.ceph.com/issues/20797
Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
---

diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc
index 9674424b035..c752350ec5f 100644
--- a/src/rgw/rgw_swift_auth.cc
+++ b/src/rgw/rgw_swift_auth.cc
@@ -2,6 +2,7 @@
 // vim: ts=8 sw=2 smarttab
 
 #include <array>
+#include <algorithm>
 
 #include <boost/utility/string_ref.hpp>
 #include <boost/container/static_vector.hpp>
@@ -138,7 +139,20 @@ bool TempURLEngine::is_expired(const std::string& expires) const
   return false;
 }
 
-std::string extract_swift_subuser(const std::string& swift_user_name) {
+bool TempURLEngine::is_disallowed_header_present(const req_info& info) const
+{
+  static const auto headers = {
+    "HTTP_X_OBJECT_MANIFEST",
+  };
+
+  return std::any_of(std::begin(headers), std::end(headers),
+                     [&info](const char* header) {
+                       return info.env->exists(header);
+                     });
+}
+
+std::string extract_swift_subuser(const std::string& swift_user_name)
+{
   size_t pos = swift_user_name.find(':');
   if (std::string::npos == pos) {
     return swift_user_name;
@@ -222,6 +236,11 @@ TempURLEngine::authenticate(const req_state* const s) const
     return result_t::reject(-EPERM);
   }
 
+  if (is_disallowed_header_present(s->info)) {
+    ldout(cct, 5) << "temp url rejected due to disallowed header" << dendl;
+    return result_t::reject(-EINVAL);
+  }
+
   /* We need to verify two paths because of compliance with Swift, Tempest
    * and old versions of RadosGW. The second item will have the prefix
    * of Swift API entry point removed. */
diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h
index 055d541d327..fd3c1b712f3 100644
--- a/src/rgw/rgw_swift_auth.h
+++ b/src/rgw/rgw_swift_auth.h
@@ -47,6 +47,7 @@ class TempURLEngine : public rgw::auth::Engine {
                       RGWUserInfo& owner_info) const;
   bool is_applicable(const req_state* s) const noexcept;
   bool is_expired(const std::string& expires) const;
+  bool is_disallowed_header_present(const req_info& info) const;
 
   class SignatureHelper;