Project

General

Profile

Tasks #1055

Bug #1053: rgw XML parsing exploits and flaws

RGW segfaults if the Owner field is not set in an ACL (subtask)

Added by Colin McCabe almost 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
% Done:

0%

Tags:
Reviewed:
Affected Versions:
Pull request ID:

Description

The following code explains the situation quite well, I think:

void RGWAccessControlPolicy::xml_end(const char *el) {           
  acl = *(RGWAccessControlList *)find_first("AccessControlList");
  owner = *(ACLOwner *)find_first("Owner");
} 

We have no idea whether find_first will find either of these things, or return NULL!

If AccessControlList isn't found, of course, the XML is malformed. But that still should not cause us to segfault.

Unfortunately, expat is not a validating XML parser, so we can't just validate against a schema.

History

#1 Updated by Colin McCabe almost 9 years ago

  • Status changed from New to Resolved

fixed by a544bda7577321c4d6ecf7664a9363180984da56

Also available in: Atom PDF