Bug 1258620 - RGW returns requested bucket name raw in "Bucket" response header
RGW returns requested bucket name raw in "Bucket" response header
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.2.4
Assigned To: Yehuda Sadeh
Depends On:
Blocks: CVE-2015-5245
  Show dependency treegraph
Reported: 2015-08-31 15:27 EDT by Yehuda Sadeh
Modified: 2017-07-30 11:55 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1258621 (view as bug list)
Last Closed: 2015-12-08 11:32:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Ceph Project Bug Tracker 12537 None None None Never

  None (edit)
Description Yehuda Sadeh 2015-08-31 15:27:34 EDT
Description of problem:
PCI scans have determined that the RGW is returning whatever string it thought was the name of the bucket requested as raw text in the Bucket response header, which we are using to be able to track request/response cycles by bucket. The result is that things like this are possible (note the extra Content-type header):

$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-type%3A%20%22image-jpg";echo
HTTP/1.1 400 Bad Request
Bucket: "nothing-to-see-here" 
Content-type: "image-jpg" 
Content-Length: 83
Accept-Ranges: bytes
Content-type: application/xml
Date: Mon, 27 Jul 2015 22:57:11 GMT


This could be considerably worse. It is in fact trivial to make the RGW return invalid HTTP responses this way as well (the resulting response is from HAProxy rejecting the invalid response from the RGW, as it should):

$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-Length%3A%20%2282";echo
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.

The RGW needs to sanitize/clean-up the bucket name before including it in the bucket header, by encoding the data in a standard encoding so that it is impossible to do things like inserting new headers, data, etc.. that looks like meaningful parts of a real HTTP response.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure rgw with 'rgw expose bucket = true'
2. follow the directions specified in the bug description

Actual results:
bad Bucket response header

Expected results:

Bucket header should be escaped

Additional info:
Comment 4 Ken Dreyer (Red Hat) 2015-10-19 11:59:48 EDT
The fix has been merged to master and hammer (in v0.94.4).

Not yet merged to firefly upstream: https://github.com/ceph/ceph/pull/5730 . If this doesn't make v0.80.11, we'll need to carry the patches downstream.
Comment 10 Siddharth Sharma 2015-11-24 03:32:52 EST
Please close this bug as according to last meeing ceph-1.2.4 plan is dropped. I closing CVE bug and security tracker for ceph-1.2.4
Comment 11 Ken Dreyer (Red Hat) 2015-12-08 11:32:25 EST
Closing all RHCS 1.2 bugs, since we are not planning to do a formal RHCS 1.2.4 release.

This particular issue was fixed for RHCS 1.3 in the 1.3.1 release. https://bugzilla.redhat.com/show_bug.cgi?id=1258621

Note You need to log in before you can comment on or make changes to this bug.