From 139495052ae3c87458ccd428f27657465a589201 Mon Sep 17 00:00:00 2001 From: Or Friedmann Date: Sun, 5 Jan 2020 18:07:42 +0200 Subject: [PATCH] rgw: Fix upload part copy range able to get almost any string Fix upload part copy range able to get almost any string This PR intends to add more checking on HTTP_X_AMZ_COPY_SOURCE_RANGE header Signed-off-by: Or Friedmann --- src/rgw/rgw_rest_s3.cc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index de885d66b82..131909692e2 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1770,13 +1770,14 @@ int RGWPutObj_ObjStore_S3::get_params() if (copy_source_range) { string range = copy_source_range; - pos = range.find("="); - if (pos == std::string::npos) { + pos = range.find("bytes="); + if (pos == std::string::npos || pos != 0) { ret = -EINVAL; ldpp_dout(this, 5) << "x-amz-copy-source-range bad format" << dendl; return ret; } - range = range.substr(pos + 1); + /* 6 is the length of "bytes=" */ + range = range.substr(pos + 6); pos = range.find("-"); if (pos == std::string::npos) { ret = -EINVAL; @@ -1785,8 +1786,20 @@ int RGWPutObj_ObjStore_S3::get_params() } string first = range.substr(0, pos); string last = range.substr(pos + 1); + if (first.find_first_not_of("0123456789") != std::string::npos || last.find_first_not_of("0123456789") != std::string::npos) + { + ldpp_dout(this, 5) << "x-amz-copy-source-range bad format not an integer" << dendl; + ret = -EINVAL; + return ret; + } copy_source_range_fst = strtoull(first.c_str(), NULL, 10); copy_source_range_lst = strtoull(last.c_str(), NULL, 10); + if (copy_source_range_fst > copy_source_range_lst) + { + ret = -ERANGE; + ldpp_dout(this, 5) << "x-amz-copy-source-range bad format first number bigger than second" << dendl; + return ret; + } } } /* copy_source */ -- 2.47.3