1776483 – STS crashes with uncaught exception when session token is not base64 encoded

Bug 1776483 - STS crashes with uncaught exception when session token is not base64 encoded

Summary: STS crashes with uncaught exception when session token is not base64 encoded

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	4.0
Assignee:	Matt Benjamin (redhat)
QA Contact:	Tejas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1777050
TreeView+	depends on / blocked

Reported:	2019-11-25 19:09 UTC by Casey Bodley
Modified:	2020-01-31 12:48 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ceph-14.2.4-100.el8cp, ceph-14.2.4-37.el7cp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1777050 (view as bug list)
Environment:
Last Closed:	2020-01-31 12:48:19 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	43018	None	None	None	2019-11-25 19:13:52 UTC
Github	ceph ceph pull 31830	'None'	closed	rgw: fix rgw crash when token is not base64 encode	2020-01-23 20:49:20 UTC
Red Hat Product Errata	RHBA-2020:0312	None	None	None	2020-01-31 12:48:30 UTC

Description Casey Bodley 2019-11-25 19:09:41 UTC

Description of problem:

If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.


Version-Release number of selected component (if applicable):


How reproducible:

Whenever the X-Amz-Security-Token header contains an invalid character


Steps to Reproduce:

1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.

2. Send an http request with a bad X-Amz-Security-Token:

$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"

Actual results:

curl: (52) Empty reply from server

and radosgw crashes

Expected results:

The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.


Additional info:

Comment 1 RHEL Program Management 2019-11-25 19:09:49 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 9 errata-xmlrpc 2020-01-31 12:48:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0312

Note You need to log in before you can comment on or make changes to this bug.