Project

General

Profile

Actions
Copy link

Bug #13207

closed

CVE-2016-7031 rgw: Anonymous user is able to read bucket with authenticated read ACL

Added by Rahul Aggarwal over 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
hammer
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v0.21
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

When "authenticated-read" ACL is applied on a bucket; anonymous user is also able to read (eg. list) the bucket. But as per S3 documentation only authenticated users should be allowed to access the bucket.

For example, using python boto, using the below code, any anonymous user is able to list the bucket using the public url

@
import boto
import requests
import boto.s3.connection
from boto import exception
access_key = '8d52e5231eed4a899220e7e85affd840'
secret_key = '03ad4895c4f9465aa57ff8d116d9eebb'
boto.config.add_section("Boto")
boto.config.set("Boto", "num_retries", "1")
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
port=80,
host = 'localhost',
is_secure=True,
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
debug=1
)

bucket = conn.create_bucket("new_cont1")
bucket.set_canned_acl('authenticated-read')
key = bucket.new_key("one")
key.set_contents_from_string("testing bucket level acl")
url = bucket.generate_url(3600)
l = url.split("/")
url = l0 + "/" + "/" + l2 + "/" + l3
r = requests.get(url)
data = r.text
print data
assert (r.status_code == 403)
@

Files

testauthenticatedread.py (804 Bytes) testauthenticatedread.py Rahul Aggarwal, 09/23/2015 10:41 AM

Related issues 1 (0 open1 closed)

Copied to rgw - Backport #17150: hammer: rgw: Anonymous user is able to read bucket with authenticated read ACLResolvedNathan CutlerActions
Actions
Copy link

Also available in: Atom PDF