Bug #13207
closedCVE-2016-7031 rgw: Anonymous user is able to read bucket with authenticated read ACL
0%
Description
When "authenticated-read" ACL is applied on a bucket; anonymous user is also able to read (eg. list) the bucket. But as per S3 documentation only authenticated users should be allowed to access the bucket.
For example, using python boto, using the below code, any anonymous user is able to list the bucket using the public url
@
import boto
import requests
import boto.s3.connection
from boto import exception
access_key = '8d52e5231eed4a899220e7e85affd840'
secret_key = '03ad4895c4f9465aa57ff8d116d9eebb'
boto.config.add_section("Boto")
boto.config.set("Boto", "num_retries", "1")
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
port=80,
host = 'localhost',
is_secure=True,
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
debug=1
)
bucket = conn.create_bucket("new_cont1")
bucket.set_canned_acl('authenticated-read')
key = bucket.new_key("one")
key.set_contents_from_string("testing bucket level acl")
url = bucket.generate_url(3600)
l = url.split("/")
url = l0 + "/" + "/" + l2 + "/" + l3
r = requests.get(url)
data = r.text
print data
assert (r.status_code == 403)
@
Files
Updated by Rahul Aggarwal over 8 years ago
- File testauthenticatedread.py testauthenticatedread.py added
attatching test code
Updated by Nathan Cutler over 8 years ago
- Status changed from New to Fix Under Review
Updated by Nathan Cutler over 7 years ago
- Status changed from Fix Under Review to Pending Backport
https://github.com/ceph/ceph/pull/6057 was merged, but ticket status was not changed. Thanks to Osamu for bringing this to our attention via the ceph-devel mailing list.
Updated by Nathan Cutler over 7 years ago
- Subject changed from Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL to rgw: Anonymous user is able to read bucket with authenticated read ACL
Updated by Loïc Dachary over 7 years ago
- Copied to Backport #17150: hammer: rgw: Anonymous user is able to read bucket with authenticated read ACL added
Updated by Ken Dreyer over 7 years ago
RH Security team has assigned CVE-2016-7031 to this issue.
Updated by Ken Dreyer over 7 years ago
- Subject changed from rgw: Anonymous user is able to read bucket with authenticated read ACL to CVE-2016-7031 rgw: Anonymous user is able to read bucket with authenticated read ACL
Updated by Nathan Cutler over 7 years ago
- Status changed from Pending Backport to Resolved