From 6c4b5d4afe6e056dc634afa3adeff050dfb77199 Mon Sep 17 00:00:00 2001
From: John Spray <john.spray@redhat.com>
Date: Fri, 27 Nov 2015 12:27:47 +0000
Subject: [PATCH] mds: fix client root metadata validation

Signed-off-by: John Spray <john.spray@redhat.com>
---
 src/mds/Server.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 62cf62f1b2802..82ab288f198b6 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -284,7 +284,10 @@ void Server::handle_client_session(MClientSession *m)
     // root is actually within the caps of the session
     if (session->info.client_metadata.count("root")) {
       const auto claimed_root = session->info.client_metadata.at("root");
-      if (!session->auth_caps.path_capable(claimed_root)) {
+      // claimed_root has a leading "/" which we strip before passing
+      // into caps check
+      if (claimed_root.empty() || claimed_root[0] != '/' ||
+          !session->auth_caps.path_capable(claimed_root.substr(1))) {
         derr << __func__ << " forbidden path claimed as mount root: "
              << claimed_root << " by " << m->get_source() << dendl;
         // Tell the client we're rejecting their open
-- 
2.39.5