From: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Tue, 27 Jun 2017 15:37:41 +0000 (-0400)
Subject: rgw: reject request if decoded URI contains \0 in the middle.
X-Git-Tag: v12.1.1~22^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ed35722e9be7272977177e8c3b9d5b64aad13f46;p=ceph.git

rgw: reject request if decoded URI contains \0 in the middle.

Fixes: http://tracker.ceph.com/issues/20418
Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index d4e494073ca6e..2f5a82561e60b 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -108,6 +108,7 @@ rgw_http_errors rgw_http_s3_errors({
     { ERR_INTERNAL_ERROR, {500, "InternalError" }},
     { ERR_NOT_IMPLEMENTED, {501, "NotImplemented" }},
     { ERR_SERVICE_UNAVAILABLE, {503, "ServiceUnavailable"}},
+    { ERR_ZERO_IN_URL, {400, "InvalidRequest" }},
 });
 
 rgw_http_errors rgw_http_swift_errors({
@@ -118,6 +119,10 @@ rgw_http_errors rgw_http_swift_errors({
     { ERR_BAD_URL, {412, "Bad URL" }},
     { ERR_NOT_SLO_MANIFEST, {400, "Not an SLO manifest" }},
     { ERR_QUOTA_EXCEEDED, {413, "QuotaExceeded" }},
+    /* FIXME(rzarzynski): we need to find a way to apply Swift's error handling
+     * procedures also for ERR_ZERO_IN_URL. This make a problem as the validation
+     * is performed very early, even before setting the req_state::proto_flags. */
+    { ERR_ZERO_IN_URL, {412, "Invalid UTF8 or contains NULL"}},
 });
 
 int rgw_perf_start(CephContext *cct)
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index bf05d13a12f88..78c69935ba467 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -210,6 +210,7 @@ using ceph::crypto::MD5;
 #define ERR_INVALID_LOCATION_CONSTRAINT 2208
 #define ERR_TAG_CONFLICT         2209
 #define ERR_INVALID_TAG          2210
+#define ERR_ZERO_IN_URL          2211
 
 #define ERR_BUSY_RESHARDING      2300
 
diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index a039034be6302..8299cff0562d6 100644
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -2212,6 +2212,10 @@ int RGWREST::preprocess(struct req_state *s, rgw::io::BasicClient* cio)
   }
 
   s->decoded_uri = url_decode(s->info.request_uri);
+  /* Validate for being free of the '\0' buried in the middle of the string. */
+  if (std::strlen(s->decoded_uri.c_str()) != s->decoded_uri.length()) {
+    return -ERR_ZERO_IN_URL;
+  }
 
   /* FastCGI specification, section 6.3
    * http://www.fastcgi.com/devkit/doc/fcgi-spec.html#S6.3