From: Joshua Baergen Date: Wed, 17 May 2023 18:17:09 +0000 (-0600) Subject: CVE-2023-43040 rgw: Fix bucket validation against POST policies X-Git-Tag: archive/raspbian/16.2.11+ds-5+rpi1^2~1 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=d9d838f7b30bd09b1d2f6fea62079834dd89f510;p=ceph.git CVE-2023-43040 rgw: Fix bucket validation against POST policies Bug: https://tracker.ceph.com/issues/63004 Signed-off-by: Joshua Baergen Origin: https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8.patch Last-Date: 2024-10-09 It's possible that user could provide a form part as a part of a POST object upload that uses 'bucket' as a key; in this case, it was overriding what was being set in the validation env (which is the real bucket being modified). The result of this is that a user could actually upload to any bucket accessible by the specified access key by matching the bucket in the POST policy in said POST form part. Fix this simply by setting the bucket to the correct value after the POST form parts are processed, ignoring the form part above if specified. Gbp-Pq: Name CVE-2023-43040_rgw_Fix_bucket_validation_against_POST_policies.patch --- diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 1ed672fa6..99f33f8a9 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2661,10 +2661,6 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y) map_qs_metadata(s); - ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name() - << dendl; - env.add_var("bucket", s->bucket->get_name()); - bool done; do { struct post_form_part part; @@ -2715,6 +2711,10 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y) env.add_var(part.name, part_str); } while (!done); + ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name() + << dendl; + env.add_var("bucket", s->bucket->get_name()); + string object_str; if (!part_str(parts, "key", &object_str)) { err_msg = "Key not specified";