Description of problem:
If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.
Version-Release number of selected component (if applicable):
Whenever the X-Amz-Security-Token header contains an invalid character
Steps to Reproduce:
1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.
2. Send an http request with a bad X-Amz-Security-Token:
$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"
curl: (52) Empty reply from server
and radosgw crashes
The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.
Please specify the severity of this bug. Severity is defined here:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.