Bug 1776483 - STS crashes with uncaught exception when session token is not base64 encoded
Summary: STS crashes with uncaught exception when session token is not base64 encoded
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 4.0
Assignee: Matt Benjamin (redhat)
QA Contact: Tejas
URL:
Whiteboard:
Depends On:
Blocks: 1777050
TreeView+ depends on / blocked
 
Reported: 2019-11-25 19:09 UTC by Casey Bodley
Modified: 2020-01-31 12:48 UTC (History)
6 users (show)

Fixed In Version: ceph-14.2.4-100.el8cp, ceph-14.2.4-37.el7cp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1777050 (view as bug list)
Environment:
Last Closed: 2020-01-31 12:48:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 43018 0 None None None 2019-11-25 19:13:52 UTC
Github ceph ceph pull 31830 0 'None' closed rgw: fix rgw crash when token is not base64 encode 2020-01-23 20:49:20 UTC
Red Hat Product Errata RHBA-2020:0312 0 None None None 2020-01-31 12:48:30 UTC

Description Casey Bodley 2019-11-25 19:09:41 UTC
Description of problem:

If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.


Version-Release number of selected component (if applicable):


How reproducible:

Whenever the X-Amz-Security-Token header contains an invalid character


Steps to Reproduce:

1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.

2. Send an http request with a bad X-Amz-Security-Token:

$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"

Actual results:

curl: (52) Empty reply from server

and radosgw crashes

Expected results:

The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.


Additional info:

Comment 1 RHEL Program Management 2019-11-25 19:09:49 UTC
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 9 errata-xmlrpc 2020-01-31 12:48:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0312


Note You need to log in before you can comment on or make changes to this bug.