From 72e8fc52fb078fa1443e1ba5321718882969aa78 Mon Sep 17 00:00:00 2001
From: yuliyang <yuliyang@cmss.chinamobile.com>
Date: Thu, 26 Oct 2017 14:35:56 +0800
Subject: [PATCH] rgw: add cors header rule check in cors option request

fix http://tracker.ceph.com/issues/22002

Signed-off-by: yuliyang <yuliyang@cmss.chinamobile.com>
---
 src/rgw/rgw_op.cc | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index ca9a6f40f70c..1559e5fffa60 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -887,6 +887,20 @@ static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) {
   return true;
 }
 
+static bool validate_cors_rule_header(RGWCORSRule *rule, const char *req_hdrs) {
+  if (req_hdrs) {
+    vector<string> hdrs;
+    get_str_vec(req_hdrs, hdrs);
+    for (const auto& hdr : hdrs) {
+      if (!rule->is_header_allowed(hdr.c_str(), hdr.length())) {
+        dout(5) << "Header " << hdr << " is not registered in this rule" << dendl;
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
 int RGWOp::read_bucket_cors()
 {
   bufferlist bl;
@@ -5089,6 +5103,11 @@ int RGWOptionsCORS::validate_cors_request(RGWCORSConfiguration *cc) {
   if (!validate_cors_rule_method(rule, req_meth)) {
     return -ENOENT;
   }
+
+  if (!validate_cors_rule_header(rule, req_hdrs)) {
+    return -ENOENT;
+  }
+
   return 0;
 }
 
-- 
2.47.3