Project

General

Profile

Bug #22002

rgw: add cors header rule check in cors option request

Added by joke lee over 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
Start date:
11/02/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

hi,

i set cors on bucket test1 as follow


<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader>header1</AllowedHeader>
</CORSRule>
</CORSConfiguration>

and

curl -v -X OPTIONS http://10.139.13.205/test1/1.txt --header "Origin: example.com" --header "Access-Control-Request-Headers: header2" --header "Access-Control-Request-Method: GET"

and the output

  • About to connect() to 10.139.13.205 port 80 (#0)
  • Trying 10.139.13.205...
  • Connected to 10.139.13.205 (10.139.13.205) port 80 (#0)

OPTIONS /test1/1.txt HTTP/1.1
User-Agent: curl/7.29.0
Host: 10.139.13.205
Accept: */*
Origin: example.com
Access-Control-Request-Headers: header2
Access-Control-Request-Method: GET

< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: example.com <===== here should not return
< Vary: Origin
< Access-Control-Allow-Methods: GET <===== here should not return
< x-amz-request-id: tx000000000000000000196-0059f1a358-3715-default
< Content-Length: 0
< Date: Thu, 26 Oct 2017 08:56:56 GMT
<
  • Connection #0 to host 10.139.13.205 left intact

and follow is what aws s3 response

  • Connected to testbyyly.s3.amazonaws.com (52.216.1.32) port 80 (#0)

OPTIONS /1.txt HTTP/1.1
User-Agent: curl/7.29.0
Host: testbyyly.s3.amazonaws.com
Accept: */*
Origin: example.com
Access-Control-Request-Headers: header2
Access-Control-Request-Method: GET

< HTTP/1.1 403 Forbidden
< x-amz-request-id: 013834B2B978805D
< x-amz-id-2: yOLwwhUGiNhAsI2IU4USP9cbFr5wCm/CRxOqHLZ68+0vCViq0GJ1dwlMv3spcCy9WhkIw+VEPEg=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Thu, 26 Oct 2017 08:58:52 GMT
< Server: AmazonS3
<
  • Connection #0 to host testbyyly.s3.amazonaws.com left intact
    <Error><Code>AccessForbidden</Code><Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method orAccess-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message><Method>GET</Method><ResourceType>OBJECT</ResourceType><RequestId>013834B2B978805D</RequestId><HostId>yOLwwhUGiNhAsI2IU4USP9cbFr5wCm/CRxOqHLZ68+0vCViq0GJ1dwlMv3spcCy9WhkIw+VEPEg=</HostId></Error>

we need to add cors header rule check in cors option request


Related issues

Copied to rgw - Backport #22187: luminous: rgw: add cors header rule check in cors option request Resolved
Copied to rgw - Backport #22188: jewel: rgw: add cors header rule check in cors option request Resolved

History

#2 Updated by Casey Bodley over 1 year ago

  • Status changed from New to Testing
  • Backport set to luminous jewel

test in https://github.com/ceph/s3-tests/pull/192 for backport as well

#3 Updated by Yuri Weinstein over 1 year ago

joke lee wrote:

https://github.com/ceph/ceph/pull/18556 fix this

merged

#4 Updated by Matt Benjamin over 1 year ago

  • Status changed from Testing to Pending Backport

#5 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #22187: luminous: rgw: add cors header rule check in cors option request added

#6 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #22188: jewel: rgw: add cors header rule check in cors option request added

#7 Updated by Nathan Cutler 12 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF