Bug #12537

[CVE-2015-5245] RGW returns requested bucket name raw in "Bucket" response header

Added by Vimal A.R about 1 year ago. Updated 11 months ago.

Status:ResolvedStart date:07/30/2015
Priority:HighDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Source:Community (user) Reviewed:
Tags: Affected Versions:Ceph - v0.80.10
Backport:hammer,firefly ceph-qa-suite:
Regression:No Release:
Severity:

Description

PCI scans have determined that the RGW is returning whatever string it thought was the name of the bucket requested as raw text in the Bucket response header, which we are using to be able to track request/response cycles by bucket. The result is that things like this are possible (note the extra Content-type header):

<snip>
$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-type%3A%20%22image-jpg";echo
HTTP/1.1 400 Bad Request
Bucket: "nothing-to-see-here"
Content-type: "image-jpg"
Content-Length: 83
Accept-Ranges: bytes
Content-type: application/xml
Date: Mon, 27 Jul 2015 22:57:11 GMT

<Error><Code>InvalidBucketName</Code></Error>
</snip>

This could be considerably worse. It is in fact trivial to make the RGW return invalid HTTP responses this way as well (the resulting response is from HAProxy rejecting the invalid response from the RGW, as it should):

</snip>
$ curl -i "objects.dreamhost.com/nothing-to-see-here%22%0D%0AContent-Length%3A%20%2282";echo
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
</snip>

The RGW needs to sanitize/clean-up the bucket name before including it in the bucket header, by encoding the data in a standard encoding so that it is impossible to do things like inserting new headers, data, etc.. that looks like meaningful parts of a real HTTP response.

This is on the following package versions:

  • Ceph version 0.80.10-1-g364151a (364151acb8d5cd4e2ad8c670c5882bf1be48a6ac)
  • Radosgw with CivetWeb 0.80.10-1-g364151a-1precise

Related issues

Related to Backport #12889: RGW returns requested bucket name raw in "Bucket" response header Resolved
Copied to Backport #12592: RGW returns requested bucket name raw in "Bucket" response header Resolved 07/30/2015
Copied to Backport #12942: RGW returns requested bucket name raw in "Bucket" response header Resolved 07/30/2015

Associated revisions

Revision ad5507fe
Added by Yehuda Sadeh about 1 year ago

rgw: url encode exposed bucket

Fixes: #12537
Don't send the bucket name back without url encoding it.

Signed-off-by: Yehuda Sadeh <>

Revision 8ba6b2f6
Added by Yehuda Sadeh about 1 year ago

rgw: url encode exposed bucket

Fixes: #12537
Don't send the bucket name back without url encoding it.

Signed-off-by: Yehuda Sadeh <>
(cherry picked from commit ad5507fe0bf72ed5bdf8353e315cc9092c740144)

Revision e7931a73
Added by Yehuda Sadeh almost 1 year ago

rgw: url encode exposed bucket

Fixes: #12537
Don't send the bucket name back without url encoding it.

Signed-off-by: Yehuda Sadeh <>
(cherry picked from commit ad5507fe0bf72ed5bdf8353e315cc9092c740144)

Revision c823c27c
Added by Yehuda Sadeh almost 1 year ago

rgw: url encode exposed bucket

Fixes: #12537
Don't send the bucket name back without url encoding it.

Signed-off-by: Yehuda Sadeh <>
(cherry picked from commit ad5507fe0bf72ed5bdf8353e315cc9092c740144)

Revision 492de998
Added by Yehuda Sadeh 11 months ago

rgw: url encode exposed bucket

Fixes: #12537
Don't send the bucket name back without url encoding it.

Signed-off-by: Yehuda Sadeh <>
(cherry picked from commit ad5507fe0bf72ed5bdf8353e315cc9092c740144)

History

#1 Updated by Nathan Cutler about 1 year ago

  • Tracker changed from Tasks to Bug
  • Project changed from Stable releases to rgw
  • Source set to Community (user)
  • Regression set to No

#3 Updated by Sage Weil about 1 year ago

  • Status changed from New to Pending Backport
  • Backport set to hammer

#4 Updated by Vimal A.R about 1 year ago

Sage,

When can the Hammer backport be expected? Is there a time-line to expect this?

Vimal

#5 Updated by Ken Dreyer 12 months ago

  • Subject changed from RGW returns requested bucket name raw in "Bucket" response header to [CVE-2015-5245] RGW returns requested bucket name raw in "Bucket" response header

This is now being tracked as CVE-2015-5245.

#6 Updated by Ken Dreyer 12 months ago

Please see https://www.owasp.org/index.php/HTTP_Response_Splitting for an explanation about HTTP header manipulation attacks.

#7 Updated by Nathan Cutler 12 months ago

  • Backport changed from hammer to hammer,firefly

#8 Updated by Loic Dachary 11 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF