Description of problem: An authenticated user can provoke an abort() of the RGW server by sending a request with an invalid HTTP Origin header, against buckets with CORS AllowedOrigin rules. The abort() is caused by an unhandled out-of-range exception matching the header with the supplied Origin header value. Version-Release number of selected component (if applicable): 1.3.3, 2.0, 2.1 How reproducible: 100% Steps to Reproduce: 1. set a CORS rule on an RGW bucket with a "long" (i.e., in this case, essentially any) value for AllowedOrigin 2. attempt access to any object in the above bucket, by any permitted user or anonymous with a value potentially initial-matching the AllowedOrigin, and of length less than that value 3. RGW halts Actual results: Server abort Expected results: Ordinary access or error behavior if client is forbidden by ACL. Additional info: N/A
Verified on ceph-10.2.3-17.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2954.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days