From 000797941fd303c3adc24f0089aeee0e902da205 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 10 Dec 2018 12:38:01 -0500 Subject: [PATCH] rgw: sanitize customer encryption keys from log output in v4 auth Fixes: http://tracker.ceph.com/issues/37847 CVE-2018-16889 Signed-off-by: Casey Bodley --- src/rgw/rgw_auth_s3.cc | 3 ++- src/rgw/rgw_rest_s3.cc | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index d7aef8cd0a1..36a96e7b7e1 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -640,7 +640,8 @@ get_v4_canon_req_hash(CephContext* cct, const auto canonical_req_hash = calc_hash_sha256(canonical_req); - ldout(cct, 10) << "canonical request = " << canonical_req << dendl; + using sanitize = rgw::crypt_sanitize::log_content; + ldout(cct, 10) << "canonical request = " << sanitize{canonical_req} << dendl; ldout(cct, 10) << "canonical request hash = " << buf_to_hex(canonical_req_hash).data() << dendl; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index ed3a819af09..7708d328252 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -3883,8 +3883,9 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s, boost::optional canonical_headers = \ get_v4_canonical_headers(s->info, signed_hdrs, using_qs); if (canonical_headers) { - ldout(s->cct, 10) << "canonical headers format = " << *canonical_headers - << dendl; + using sanitize = rgw::crypt_sanitize::log_content; + ldout(s->cct, 10) << "canonical headers format = " + << sanitize{*canonical_headers} << dendl; } else { throw -EPERM; } -- 2.39.5