Bug 1403007

Summary: An anonymous user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules.
Product: Red Hat Ceph Storage Reporter: Matt Benjamin (redhat) <mbenjamin>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED DUPLICATE QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 1.3.3CC: cbodley, ceph-eng-bugs, ceph-qe-bugs, hnallurv, kbader, kdreyer, mbenjamin, owasserm, sisharma, sweil
Target Milestone: rcKeywords: Security
Target Release: 1.3.3   
Hardware: All   
OS: All   
Fixed In Version: RHEL: ceph-0.94.9-9.el7cp Ubuntu: ceph_0.94.9-10redhat1trusty Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1403003 Environment:
Last Closed: 2016-12-16 17:03:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1403245    

Comment 7 Ken Dreyer (Red Hat) 2016-12-16 17:03:54 UTC
Siddharth filed a security bug for RHCS 1.3, and we'll use that instead: bz 1404375

*** This bug has been marked as a duplicate of bug 1404375 ***