From e4164273cf3bf91b5d431938736739cd132678fb Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Thu, 31 Oct 2024 21:00:17 +0100 Subject: [PATCH] rgw: return MalformedXML for empty objects list in DeleteObjects MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When a request contains an empty list of objects, the current implementation returns a 200 OK. However, this behavior may raise security concerns, as it could imply the user has access to the bucket, even though access policies are only evaluated per object. To mitigate this risk, returning a 400 Bad Request would be a more secure approach. This ensures that no assumption is made about the user’s access to the bucket or its objects. Furthermore, this adjustment aligns with AWS behavior, enhancing compatibility. Fixes: https://tracker.ceph.com/issues/68799 Signed-off-by: Seena Fallah --- src/rgw/rgw_op.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 67829e6320a..02e2d32e1e6 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -7319,6 +7319,12 @@ void RGWDeleteMultiObj::execute(optional_yield y) return; } + if (multi_delete->objects.empty()) { + s->err.message = "Missing required element Object"; + op_ret = -ERR_MALFORMED_XML; + return; + } + constexpr int DEFAULT_MAX_NUM = 1000; int max_num = s->cct->_conf->rgw_delete_multi_obj_max_num; if (max_num < 0) { -- 2.39.5