Project

General

Profile

Actions
Copy link

Bug #24223

closed

Invalid Access-Control-Request-Request may bypass validate_cors_rule_method

Added by Jeegn Chen almost 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Casey Bodley
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
luminous mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v12.2.2
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) {
  uint8_t flags = 0;

  if (!req_meth) {
    dout(5) << "req_meth is null" << dendl;
    return false;
  }

  if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET;
  else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST;
  else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT;
  else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE;
  else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD;

  if ((rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<< if req_meth=="GET, DELETE", flags will be 0 and the check will succeed. Then "GET, DELETE" will appear as the value of Access-Control-Allow-Methods in the response
    dout(10) << "Method " << req_meth << " is supported" << dendl;
  } else {
    dout(5) << "Method " << req_meth << " is not supported" << dendl;
    return false;
  }

  return true;
}

Maybe the snippet should be 

static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) {
  uint8_t flags = 0;

  if (!req_meth) {
    dout(5) << "req_meth is null" << dendl;
    return false;
  }

  if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET;
  else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST;
  else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT;
  else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE;
  else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD;

  if (flags && (rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<<
    dout(10) << "Method " << req_meth << " is supported" << dendl;
  } else {
    dout(5) << "Method " << req_meth << " is not supported" << dendl;
    return false;
  }

  return true;
}

Related issues 2 (0 open2 closed)

Copied to rgw - Backport #24809: mimic: Invalid Access-Control-Request-Request may bypass validate_cors_rule_methodResolvedNathan CutlerActions
Copied to rgw - Backport #24810: luminous: Invalid Access-Control-Request-Request may bypass validate_cors_rule_methodResolvedNathan CutlerActions
Actions
Copy link
 #2

Updated by Casey Bodley almost 6 years ago

  • Status changed from New to 7
  • Backport set to luminous mimic
Actions
Copy link
 #3

Updated by Orit Wasserman almost 6 years ago

  • Assignee set to Casey Bodley
Actions
Copy link
 #4

Updated by Yuri Weinstein almost 6 years ago

Jeegn Chen wrote:

PR: https://github.com/ceph/ceph/pull/22145

mergedReviewed-by: Casey Bodley <>

Actions
Copy link
 #5

Updated by Casey Bodley almost 6 years ago

  • Status changed from 7 to Pending Backport
Actions
Copy link
 #6

Updated by Nathan Cutler almost 6 years ago

  • Copied to Backport #24809: mimic: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method added
Actions
Copy link
 #7

Updated by Nathan Cutler almost 6 years ago

  • Copied to Backport #24810: luminous: Invalid Access-Control-Request-Request may bypass validate_cors_rule_method added
Actions
Copy link
 #8

Updated by Nathan Cutler over 5 years ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF