Bug #43018
closedSTS crashes with uncaught exception when session token is not base64 encoded
0%
Description
Description of problem:
If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.
How reproducible:
Whenever the X-Amz-Security-Token header contains an invalid character
Steps to Reproduce:
1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.
2. Send an http request with a bad X-Amz-Security-Token:
$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"
Actual results:
curl: (52) Empty reply from server
and radosgw crashes
Expected results:
The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.
Updated by Casey Bodley over 4 years ago
- Status changed from 7 to Pending Backport
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43157: mimic: STS crashes with uncaught exception when session token is not base64 encoded added
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43158: nautilus: STS crashes with uncaught exception when session token is not base64 encoded added
Updated by Nathan Cutler about 4 years ago
- Status changed from Pending Backport to Resolved
Updated by Nathan Cutler about 4 years ago
This is a follow-on fix for 001f0577135f2932b9a16bf0ec6ec9b1f6b06424 which is a part of https://github.com/ceph/ceph/pull/23504 which was merged for the nautilus release and is not being backported to mimic.