Project

General

Profile

Actions
Copy link

Bug #64084

open

Missing validation for request header x_amz_content_sha256

Added by djf daijufang 4 months ago. Updated 3 months ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Casey Bodley
Target version:
-
% Done:

0%

Source:
Tags:
sigv4 backport_processed
Backport:
quincy reef
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
55250
Crash signature (v1):
Crash signature (v2):

Description

"When the value of the x_amz_content_sha256 request header in the request is incorrect, the response status code is 200 OK, which does not meet the expected outcome."
When the value of x_amz_content_sha256 is a non-64-character length string, the result returned upon sending a request to create a bucket is as follows

@18d470fd3a9d ▶ sh create_bucket_ceph.sh
*   Trying 127.0.0.1:8000...
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> PUT /bkbk2 HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.76.1
> Accept: */*
> Authorization: AWS4-HMAC-SHA256 Credential=user1/20240118/default/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=460f797c5cc316d6686fc9d60cf6e7bf5440292341faf20e94ec37efe5a34fa9
> x-amz-content-sha256: hudiepwhfrue45w
> X-Amz-Date: 20240118T080246Z
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< x-amz-request-id: tx00000b6cdb4d31b0106b0-0065a8db26-4137-default
< Server: Ceph Object Gateway (squid)
< Content-Length: 0
< Date: Thu, 18 Jan 2024 08:02:48 GMT
< Connection: Keep-Alive
<
* Connection #0 to host 127.0.0.1 left intact

When the value of the x-amz-content-sha256 request header is incorrect, bkbk2 successfully creates the bucket without validating the request header.

Files

Download all files
image2024-1-18_16-2-43.png (60.1 KB) image2024-1-18_16-2-43.png djf daijufang, 01/18/2024 09:25 AM
image2024-1-18_17-7-30.png (60.9 KB) image2024-1-18_17-7-30.png When the value of the x-amz-content-sha256 request header is 'hudiepwhfrue45w', the response is 400 Bad Request, indicating an invalid request djf daijufang, 01/18/2024 09:56 AM
image2024-1-18_17-6-45.png (262 KB) image2024-1-18_17-6-45.png The log indicates the process of validating the x-amz-content-sha256 request header, and error logs have been printed. djf daijufang, 01/18/2024 09:57 AM

Related issues 2 (2 open0 closed)

Copied to rgw - Backport #64379: reef: Missing validation for request header x_amz_content_sha256NewCasey BodleyActions
Copied to rgw - Backport #64380: quincy: Missing validation for request header x_amz_content_sha256NewCasey BodleyActions
Actions
Copy link Download all files
 #1

Updated by djf daijufang 4 months ago

The solution to this issue has been submitted to GitHub. The code link is: https://github.com/ceph/ceph/pull/55230.

The test results for this solution are shown in the following images.

Actions
Copy link
 #2

Updated by Casey Bodley 4 months ago

  • Status changed from New to Fix Under Review
  • Tags set to sigv4
  • Pull request ID set to 55230
Actions
Copy link
 #3

Updated by Casey Bodley 3 months ago

  • Project changed from Ceph to rgw
  • Status changed from Fix Under Review to Pending Backport
  • Assignee set to Casey Bodley
  • Backport set to quincy reef
Actions
Copy link
 #4

Updated by Backport Bot 3 months ago

  • Copied to Backport #64379: reef: Missing validation for request header x_amz_content_sha256 added
Actions
Copy link
 #5

Updated by Backport Bot 3 months ago

  • Copied to Backport #64380: quincy: Missing validation for request header x_amz_content_sha256 added
Actions
Copy link
 #6

Updated by Backport Bot 3 months ago

  • Tags changed from sigv4 to sigv4 backport_processed
Actions
Copy link
 #7

Updated by Casey Bodley 3 months ago

  • Pull request ID changed from 55230 to 55250
Actions
Copy link

Also available in: Atom PDF