Bug #43018
closedSTS crashes with uncaught exception when session token is not base64 encoded
0%
Description
Description of problem:
If the value of a X-Amz-Security-Token header is not valid base64-encoded, the attempt to decode it will throw an exception. This exception is not caught in STSEngine::get_session_token(), so will terminate the process.
How reproducible:
Whenever the X-Amz-Security-Token header contains an invalid character
Steps to Reproduce:
1. Add 'rgw s3 auth use sts = true' to radosgw configuration, then restart.
2. Send an http request with a bad X-Amz-Security-Token:
$ curl http://radosgw -H 'X-Amz-Security-Token: -' -H 'Authorization: AWS abd:def' -H "Date: `TZ=GMT date -R`"
Actual results:
curl: (52) Empty reply from server
and radosgw crashes
Expected results:
The request fails to authenticate, and replies with either 400 Bad Request or 403 Forbidden.