[PATCH] Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty

The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The  code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash.

Fixes: https://tracker.ceph.com/issues/72669
Signed-off-by: Suyash Dongre <suyashd999@gmail.com>
Gbp-Pq: Name CVE-2024-47866.patch

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index c2501b7842a450019454325f2574a99d84c4fe7d..464f3f56372bff2adc6b4932f807d86434fcb30c 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -4830,6 +4830,10 @@ bool RGWCopyObj::parse_copy_location(const boost::string_view& url_src,
     params_str = url_src.substr(pos + 1);
   }
 
+  if (name_str.empty()) {
+    return false;
+  }
+
   boost::string_view dec_src{name_str};
   if (dec_src[0] == '/')
     dec_src.remove_prefix(1);