Bug 1776483

Summary: STS crashes with uncaught exception when session token is not base64 encoded
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Casey Bodley <cbodley>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: cbodley, ceph-eng-bugs, kbader, mbenjamin, sweil, tserlin
Target Milestone: rc   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.4-100.el8cp, ceph-14.2.4-37.el7cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1777050 (view as bug list) Environment:
Last Closed: 2020-01-31 12:48:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1777050    

Description Casey Bodley 2019-11-25 19:09:41 UTC 
Description of problem:

If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.


Version-Release number of selected component (if applicable):


How reproducible:

Whenever the X-Amz-Security-Token header contains an invalid character


Steps to Reproduce:

1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.

2. Send an http request with a bad X-Amz-Security-Token:

$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"

Actual results:

curl: (52) Empty reply from server

and radosgw crashes

Expected results:

The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.


Additional info:
Comment 1 RHEL Program Management 2019-11-25 19:09:49 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 9 errata-xmlrpc 2020-01-31 12:48:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0312