Description of problem:
An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value.
Version-Release number of selected component (if applicable):
1.3.3, 2.0, 2.1
Steps to Reproduce:
1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin
2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value
3. RGW halts
Ordinary access or error behavior if client is forbidden by ACL.
Verified on ceph-10.2.3-17.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.