CVE-2023-43040 rgw: Fix bucket validation against POST policies

It's possible that user could provide a form part as a part of a POST
object upload that uses 'bucket' as a key; in this case, it was
overriding what was being set in the validation env (which is the real
bucket being modified). The result of this is that a user could actually
upload to any bucket accessible by the specified access key by matching
the bucket in the POST policy in said POST form part.

Fix this simply by setting the bucket to the correct value after the
POST form parts are processed, ignoring the form part above if
specified.

bug: https://tracker.ceph.com/issues/63004
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053690
bug-debian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2023-43040

Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
origin: backport, https://github.com/ceph/ceph/commit/479976538fe8f51edfea597443ba0c0209d3f39f

Gbp-Pq: Name CVE-2023-43040.patch

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index f25890f527ab8a8a6ce7c72d870d7fd9bd54ceef..f5d1f7699f20aae654b3622ff84bbb24af206eae 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1998,10 +1998,6 @@ int RGWPostObj_ObjStore_S3::get_params()
 
   map_qs_metadata(s);
 
-  ldout(s->cct, 20) << "adding bucket to policy env: " << s->bucket.name
-                   << dendl;
-  env.add_var("bucket", s->bucket.name);
-
   bool done;
   do {
     struct post_form_part part;
@@ -2052,6 +2048,10 @@ int RGWPostObj_ObjStore_S3::get_params()
     env.add_var(part.name, part_str);
   } while (!done);
 
+  ldout(s->cct, 20) << "adding bucket to policy env: " << s->bucket.name
+                   << dendl;
+  env.add_var("bucket", s->bucket.name);
+
   string object_str;
   if (!part_str(parts, "key", &object_str)) {
     err_msg = "Key not specified";