Project

General

Profile

Bug #24223

Invalid Access-Control-Request-Request may bypass validate_cors_rule_method

Added by Jeegn Chen 10 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
05/16/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) {
  uint8_t flags = 0;

  if (!req_meth) {
    dout(5) << "req_meth is null" << dendl;
    return false;
  }

  if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET;
  else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST;
  else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT;
  else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE;
  else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD;

  if ((rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<< if req_meth=="GET, DELETE", flags will be 0 and the check will succeed. Then "GET, DELETE" will appear as the value of Access-Control-Allow-Methods in the response
    dout(10) << "Method " << req_meth << " is supported" << dendl;
  } else {
    dout(5) << "Method " << req_meth << " is not supported" << dendl;
    return false;
  }

  return true;
}

Maybe the snippet should be

static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) {
  uint8_t flags = 0;

  if (!req_meth) {
    dout(5) << "req_meth is null" << dendl;
    return false;
  }

  if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET;
  else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST;
  else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT;
  else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE;
  else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD;

  if (flags && (rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<<
    dout(10) << "Method " << req_meth << " is supported" << dendl;
  } else {
    dout(5) << "Method " << req_meth << " is not supported" << dendl;
    return false;
  }

  return true;
}


Related issues

Copied to rgw - Backport #24809: mimic: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method Resolved
Copied to rgw - Backport #24810: luminous: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method Resolved

History

#2 Updated by Casey Bodley 10 months ago

  • Status changed from New to Testing
  • Backport set to luminous mimic

#3 Updated by Orit Wasserman 10 months ago

  • Assignee set to Casey Bodley

#4 Updated by Yuri Weinstein 9 months ago

Jeegn Chen wrote:

PR: https://github.com/ceph/ceph/pull/22145

mergedReviewed-by: Casey Bodley <>

#5 Updated by Casey Bodley 9 months ago

  • Status changed from Testing to Pending Backport

#6 Updated by Nathan Cutler 9 months ago

  • Copied to Backport #24809: mimic: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method added

#7 Updated by Nathan Cutler 9 months ago

  • Copied to Backport #24810: luminous: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method added

#8 Updated by Nathan Cutler 7 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF