From: Jesse Williamson <jwilliamson@suse.de>
Date: Tue, 13 Jun 2017 19:31:16 +0000 (-0700)
Subject: libradosstriper: remove format injection vulnerability
X-Git-Tag: ses5-milestone9~1^2~36^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e94d3b9661d287e500cdf4e6c102d2e3bb04475e;p=ceph.git

libradosstriper: remove format injection vulnerability

Fixes: http://tracker.ceph.com/issues/20240

Signed-off-by: Stan K <redrampage@selectel.ru>
---

diff --git a/src/libradosstriper/RadosStriperImpl.cc b/src/libradosstriper/RadosStriperImpl.cc
index fd5f13f0065f..c6020bf95571 100644
--- a/src/libradosstriper/RadosStriperImpl.cc
+++ b/src/libradosstriper/RadosStriperImpl.cc
@@ -12,6 +12,8 @@
  *
  */
 
+#include <boost/algorithm/string/replace.hpp>
+
 #include "libradosstriper/RadosStriperImpl.h"
 
 #include <errno.h>
@@ -501,7 +503,9 @@ int libradosstriper::RadosStriperImpl::aio_read(const std::string& soid,
   // get list of extents to be read from
   vector<ObjectExtent> *extents = new vector<ObjectExtent>();
   if (read_len > 0) {
-    std::string format = soid + RADOS_OBJECT_EXTENSION_FORMAT;
+    std::string format = soid;
+    boost::replace_all(format, "%", "%%");
+    format += RADOS_OBJECT_EXTENSION_FORMAT;
     file_layout_t l;
     l.from_legacy(layout);
     Striper::file_to_extents(cct(), format.c_str(), &l, off, read_len,
@@ -1077,7 +1081,9 @@ libradosstriper::RadosStriperImpl::internal_aio_write(const std::string& soid,
   if (len > 0) {
     // get list of extents to be written to
     vector<ObjectExtent> extents;
-    std::string format = soid + RADOS_OBJECT_EXTENSION_FORMAT;
+    std::string format = soid;
+    boost::replace_all(format, "%", "%%");
+    format += RADOS_OBJECT_EXTENSION_FORMAT;
     file_layout_t l;
     l.from_legacy(layout);
     Striper::file_to_extents(cct(), format.c_str(), &l, off, len, 0, extents);