Project

General

Profile

Bug #18187

rgw:radosgw server abort when accept a CORS request with short origin

Added by yang liu 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Target version:
-
Start date:
12/08/2016
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
jewel, hammer
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
Needs Doc:
No

Description

set public-acl to a rgw object.

set cors rule to the bucket(eg: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).

simulating a CORS requests.

$ curl http://test.localhost:8000/app.data -H "Origin:http://s.com" 

 0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 *** Caught signal (Aborted) **
 in thread 7f6add05d700 thread_name:civetweb-worker

 ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
 1: (()+0x50720a) [0x7f6b147c420a]
 2: (()+0xf370) [0x7f6b09a33370]
 3: (gsignal()+0x37) [0x7f6b081ca1d7]
 4: (abort()+0x148) [0x7f6b081cb8c8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
 6: (()+0x5e946) [0x7f6b08acc946]
 7: (()+0x5e973) [0x7f6b08acc973]
 8: (()+0x5eb93) [0x7f6b08accb93]
 9: (std::__throw_out_of_range(char const*)+0x77) [0x7f6b08b21a17]
 10: (()+0xbd97a) [0x7f6b08b2b97a]
 11: (()+0x449c1e) [0x7f6b14706c1e]
 12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
 13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
 14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
 15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]


Related issues

Copied to rgw - Backport #18212: jewel: rgw:radosgw server abort when accept a CORS request with short origin Resolved
Copied to rgw - Backport #18213: hammer: rgw:radosgw server abort when accept a CORS request with short origin Resolved

Associated revisions

Revision 67d4d9e6 (diff)
Added by yang liu 7 months ago

rgw: do not abort when accept a CORS request with short origin

Fixed: #18187

when accept a CROS request, the request http origin shorter than the bucket's corsrule
(eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
abort.

$ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"

0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 ** Caught signal (Aborted) *
in thread 7f6add05d700 thread_name:civetweb-worker
ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
1: (()+0x50720a) [0x7f6b147c420a]
2: (()+0xf370) [0x7f6b09a33370]
3: (gsignal()+0x37) [0x7f6b081ca1d7]
4: (abort()+0x148) [0x7f6b081cb8c8]
5: (_gnu_cxx::_verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
6: (()+0x5e946) [0x7f6b08acc946]
7: (()+0x5e973) [0x7f6b08acc973]
8: (()+0x5eb93) [0x7f6b08accb93]
9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
10: (()+0xbd97a) [0x7f6b08b2b97a]
11: (()+0x449c1e) [0x7f6b14706c1e]
12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]

Signed-off-by: LiuYang <>

Revision 4eb7c731 (diff)
Added by yang liu 7 months ago

rgw: do not abort when accept a CORS request with short origin

Fixed: #18187

when accept a CROS request, the request http origin shorter than the bucket's corsrule
(eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
abort.

$ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"

0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 ** Caught signal (Aborted) *
in thread 7f6add05d700 thread_name:civetweb-worker
ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
1: (()+0x50720a) [0x7f6b147c420a]
2: (()+0xf370) [0x7f6b09a33370]
3: (gsignal()+0x37) [0x7f6b081ca1d7]
4: (abort()+0x148) [0x7f6b081cb8c8]
5: (_gnu_cxx::_verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
6: (()+0x5e946) [0x7f6b08acc946]
7: (()+0x5e973) [0x7f6b08acc973]
8: (()+0x5eb93) [0x7f6b08accb93]
9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
10: (()+0xbd97a) [0x7f6b08b2b97a]
11: (()+0x449c1e) [0x7f6b14706c1e]
12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]

Signed-off-by: LiuYang <>
(cherry picked from commit 67d4d9e64bc224e047cf333e673bb22cd6290789)

Revision 0f83bb7d (diff)
Added by yang liu 7 months ago

rgw: do not abort when accept a CORS request with short origin

Fixed: #18187

when accept a CROS request, the request http origin shorter than the bucket's corsrule
(eg. origin: http://s.com corsrule: <AllowedOrigin>*.verylongdomain.com</AllowedOrigin>).
the rgw_cors.cc::is_string_in_set() will have a wrong index, the radosrgw server will
abort.

$ curl http://test.localhost:8000/app.data -H "Origin:http://s.com"

0> 2016-12-05 03:22:29.548138 7f6add05d700 -1 ** Caught signal (Aborted) *
in thread 7f6add05d700 thread_name:civetweb-worker
ceph version 11.0.2-2168-gd2f8fb4 (d2f8fb4a6ba75af7e6da0f5a7f1b49ec998b1631)
1: (()+0x50720a) [0x7f6b147c420a]
2: (()+0xf370) [0x7f6b09a33370]
3: (gsignal()+0x37) [0x7f6b081ca1d7]
4: (abort()+0x148) [0x7f6b081cb8c8]
5: (_gnu_cxx::_verbose_terminate_handler()+0x165) [0x7f6b08ace9d5]
6: (()+0x5e946) [0x7f6b08acc946]
7: (()+0x5e973) [0x7f6b08acc973]
8: (()+0x5eb93) [0x7f6b08accb93]
9: (std::__throw_out_of_range(char const*)+0x77) 0x7f6b08b21a17]
10: (()+0xbd97a) [0x7f6b08b2b97a]
11: (()+0x449c1e) [0x7f6b14706c1e]
12: (RGWCORSRule::is_origin_present(char const*)+0x48) [0x7f6b147073b8]
13: (RGWCORSConfiguration::host_name_rule(char const*)+0x37) [0x7f6b147074e7]
14: (RGWOp::generate_cors_headers(std::string&, std::string&, std::string&, std::string&, unsigned int*)+0xa3) [0x7f6b14593e63]
15: (dump_access_control(req_state*, RGWOp*)+0x61) [0x7f6b14653f91]

Signed-off-by: LiuYang <>
(cherry picked from commit 67d4d9e64bc224e047cf333e673bb22cd6290789)

History

#1 Updated by yang liu 7 months ago

patches have been pushed:
https://github.com/ceph/ceph/pull/12381

#2 Updated by Yehuda Sadeh 7 months ago

  • Priority changed from Normal to Urgent

#3 Updated by Matt Benjamin 7 months ago

Bug verified.

#4 Updated by Yehuda Sadeh 7 months ago

  • Status changed from New to Pending Backport
  • Backport set to jewel, hammer

#5 Updated by Ken Dreyer 7 months ago

I've requested that the Red Hat security team assign a CVE to this issue.

#7 Updated by Nathan Cutler 7 months ago

  • Copied to Backport #18212: jewel: rgw:radosgw server abort when accept a CORS request with short origin added

#8 Updated by Nathan Cutler 7 months ago

  • Copied to Backport #18213: hammer: rgw:radosgw server abort when accept a CORS request with short origin added

#9 Updated by Ken Dreyer 7 months ago

Red Hat's security team assigned CVE-2016-9579 to this issue.

#10 Updated by Nathan Cutler 5 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF