Bug 1403003

Summary: An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.
Product: Red Hat Ceph Storage Reporter: Matt Benjamin (redhat) <mbenjamin>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: shilpa <smanjara>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.1CC: cbodley, ceph-eng-bugs, kbader, kdreyer, kurs, mbenjamin, owasserm, sisharma, sweil
Target Milestone: rcKeywords: Security
Target Release: 2.1Flags: sisharma: needinfo? (mbenjamin)
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHEL: ceph-10.2.3-17.el7cp Ubuntu: ceph_10.2.3-18redhat1xenial Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1403007 (view as bug list) Environment:
Last Closed: 2016-12-15 16:49:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1403245    

Description Matt Benjamin (redhat) 2016-12-08 20:57:20 UTC 
Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.  The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.


Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1


How reproducible:
100%


Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts

Actual results:
Server abort

Expected results:
Ordinary access or error behavior if client is forbidden by ACL.

Additional info:
N/A
Comment 7 shilpa 2016-12-13 10:00:31 UTC 
Verified on ceph-10.2.3-17.
Comment 10 errata-xmlrpc 2016-12-15 16:49:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2954.html