Actions
Bug #24223
closedInvalid Access-Control-Request-Request may bypass validate_cors_rule_method
% Done:
0%
Source:
Tags:
Backport:
luminous mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) { uint8_t flags = 0; if (!req_meth) { dout(5) << "req_meth is null" << dendl; return false; } if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET; else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST; else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT; else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE; else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD; if ((rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<< if req_meth=="GET, DELETE", flags will be 0 and the check will succeed. Then "GET, DELETE" will appear as the value of Access-Control-Allow-Methods in the response dout(10) << "Method " << req_meth << " is supported" << dendl; } else { dout(5) << "Method " << req_meth << " is not supported" << dendl; return false; } return true; }
Maybe the snippet should be
static bool validate_cors_rule_method(RGWCORSRule *rule, const char *req_meth) { uint8_t flags = 0; if (!req_meth) { dout(5) << "req_meth is null" << dendl; return false; } if (strcmp(req_meth, "GET") == 0) flags = RGW_CORS_GET; else if (strcmp(req_meth, "POST") == 0) flags = RGW_CORS_POST; else if (strcmp(req_meth, "PUT") == 0) flags = RGW_CORS_PUT; else if (strcmp(req_meth, "DELETE") == 0) flags = RGW_CORS_DELETE; else if (strcmp(req_meth, "HEAD") == 0) flags = RGW_CORS_HEAD; if (flags && (rule->get_allowed_methods() & flags) == flags) { <<<<<<<<<< dout(10) << "Method " << req_meth << " is supported" << dendl; } else { dout(5) << "Method " << req_meth << " is not supported" << dendl; return false; } return true; }
Actions