Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch for v14.2.7 #188

Open
wants to merge 10 commits into
base: origin-v14.2.7-1733764927
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/auth/Auth.h
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,9 @@ struct AuthConnectionMeta {

std::unique_ptr<AuthAuthorizer> authorizer;
std::unique_ptr<AuthAuthorizerChallenge> authorizer_challenge;

///< set if msgr1 peer doesn't support CEPHX_V2
bool skip_authorizer_challenge = false;
};

/*
Expand Down
12 changes: 9 additions & 3 deletions src/auth/cephx/CephxServiceHandler.cc
Original file line number Diff line number Diff line change
Expand Up @@ -200,11 +200,14 @@ int CephxServiceHandler::handle_request(
}
}
encode(cbl, *result_bl);
// provite all of the other tickets at the same time
// provide requested service tickets at the same time
vector<CephXSessionAuthInfo> info_vec;
for (uint32_t service_id = 1; service_id <= req.other_keys;
service_id <<= 1) {
if (req.other_keys & service_id) {
// skip CEPH_ENTITY_TYPE_AUTH: auth ticket is already encoded
// (possibly encrypted with the old session key)
if ((req.other_keys & service_id) &&
service_id != CEPH_ENTITY_TYPE_AUTH) {
ldout(cct, 10) << " adding key for service "
<< ceph_entity_type_name(service_id) << dendl;
CephXSessionAuthInfo svc_info;
Expand Down Expand Up @@ -264,7 +267,10 @@ int CephxServiceHandler::handle_request(
int service_err = 0;
for (uint32_t service_id = 1; service_id <= ticket_req.keys;
service_id <<= 1) {
if (ticket_req.keys & service_id) {
// skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with
// CEPHX_GET_AUTH_SESSION_KEY
if ((ticket_req.keys & service_id) &&
service_id != CEPH_ENTITY_TYPE_AUTH) {
ldout(cct, 10) << " adding key for service "
<< ceph_entity_type_name(service_id) << dendl;
CephXSessionAuthInfo info;
Expand Down
9 changes: 2 additions & 7 deletions src/mon/MonClient.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1425,13 +1425,8 @@ int MonClient::handle_auth_request(
}

auto ac = &auth_meta->authorizer_challenge;
if (!HAVE_FEATURE(con->get_features(), CEPHX_V2)) {
if (cct->_conf->cephx_service_require_version >= 2) {
ldout(cct,10) << __func__ << " client missing CEPHX_V2 ("
<< "cephx_service_requre_version = "
<< cct->_conf->cephx_service_require_version << ")" << dendl;
return -EACCES;
}
if (auth_meta->skip_authorizer_challenge) {
ldout(cct, 10) << __func__ << " skipping challenge on " << con << dendl;
ac = nullptr;
}

Expand Down
22 changes: 18 additions & 4 deletions src/msg/async/ProtocolV1.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1908,7 +1908,8 @@ CtPtr ProtocolV1::handle_connect_message_2() {
// require signatures for cephx?
if (connect_msg.authorizer_protocol == CEPH_AUTH_CEPHX) {
if (connection->peer_type == CEPH_ENTITY_TYPE_OSD ||
connection->peer_type == CEPH_ENTITY_TYPE_MDS) {
connection->peer_type == CEPH_ENTITY_TYPE_MDS ||
connection->peer_type == CEPH_ENTITY_TYPE_MGR) {
if (cct->_conf->cephx_require_signatures ||
cct->_conf->cephx_cluster_require_signatures) {
ldout(cct, 10)
Expand All @@ -1917,6 +1918,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
<< dendl;
connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
}
if (cct->_conf->cephx_require_version >= 2 ||
cct->_conf->cephx_cluster_require_version >= 2) {
ldout(cct, 10)
<< __func__
<< " using cephx, requiring cephx v2 feature bit for cluster"
<< dendl;
connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
}
} else {
if (cct->_conf->cephx_require_signatures ||
cct->_conf->cephx_service_require_signatures) {
Expand All @@ -1926,9 +1935,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
<< dendl;
connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
}
}
if (cct->_conf->cephx_service_require_version >= 2) {
connection->policy.features_required |= CEPH_FEATURE_CEPHX_V2;
if (cct->_conf->cephx_require_version >= 2 ||
cct->_conf->cephx_service_require_version >= 2) {
ldout(cct, 10)
<< __func__
<< " using cephx, requiring cephx v2 feature bit for service"
<< dendl;
connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
}
}
}

Expand Down
12 changes: 7 additions & 5 deletions src/rgw/rgw_cors.cc
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,13 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {

void RGWCORSRule::format_exp_headers(string& s) {
s = "";
for(list<string>::iterator it = exposable_hdrs.begin();
it != exposable_hdrs.end(); ++it) {
if (s.length() > 0)
s.append(",");
s.append((*it));
for (const auto& header : exposable_hdrs) {
if (s.length() > 0)
s.append(",");
// these values are sent to clients in a 'Access-Control-Expose-Headers'
// response header, so we escape '\n' and '\r' to avoid header injection
std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
}
}

Expand Down
27 changes: 27 additions & 0 deletions src/rgw/rgw_rest_s3.cc
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,15 @@ int decode_attr_bl_single_value(map<string, bufferlist>& attrs, const char *attr
return 0;
}

inline bool str_has_cntrl(const std::string s) {
return std::any_of(s.begin(), s.end(), ::iscntrl);
}

inline bool str_has_cntrl(const char* s) {
std::string _s(s);
return str_has_cntrl(_s);
}

int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
off_t bl_len)
{
Expand Down Expand Up @@ -282,6 +291,24 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
bool exists;
string val = s->info.args.get(p->param, &exists);
if (exists) {
/* reject unauthenticated response header manipulation, see
* https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
if (s->auth.identity->is_anonymous()) {
return -ERR_INVALID_REQUEST;
}
/* HTTP specification says no control characters should be present in
* header values: https://tools.ietf.org/html/rfc7230#section-3.2
* field-vchar = VCHAR / obs-text
*
* Failure to validate this permits a CRLF injection in HTTP headers,
* whereas S3 GetObject only permits specific headers.
*/
if(str_has_cntrl(val)) {
/* TODO: return a more distinct error in future;
* stating what the problem is */
return -ERR_INVALID_REQUEST;
}

if (strcmp(p->param, "response-content-type") != 0) {
response_attrs[p->http_attr] = val;
} else {
Expand Down
3 changes: 3 additions & 0 deletions src/rgw/rgw_rest_swift.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2545,6 +2545,9 @@ bool RGWSwiftWebsiteHandler::is_web_dir() const
return false;
} else if (subdir_name.back() == '/') {
subdir_name.pop_back();
if (subdir_name.empty()) {
return false;
}
}

rgw_obj obj(s->bucket, std::move(subdir_name));
Expand Down