[PATCH] [CVE-2024-48916] rgw/sts: fix to disallow unsupported JWT algorithms while...

author Pritha Srivastava <prsrivas@redhat.com>

Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)

committer Daniel Baumann <daniel@debian.org>

Wed, 4 Dec 2024 05:46:17 +0000 (06:46 +0100)
author Pritha Srivastava <prsrivas@redhat.com>
Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)
committer Daniel Baumann <daniel@debian.org>
Wed, 4 Dec 2024 05:46:17 +0000 (06:46 +0100)
diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc

index 1daf6863f51563ab1e629a3d5ef7bb14fa8d2cc2..f26b211f2e86f7672499f065758cbcc4572d28f2 100644 (file)
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -434,6 +434,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
                                .allow_algorithm(jwt::algorithm::ps512{cert});
  
                  verifier.verify(decoded);
+              } else {
+                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
+                throw -EINVAL;
                }
              } catch (std::runtime_error& e) {
                ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
author	Pritha Srivastava <prsrivas@redhat.com>
	Tue, 5 Nov 2024 06:33:00 +0000 (12:03 +0530)
committer	Daniel Baumann <daniel@debian.org>
	Wed, 4 Dec 2024 05:46:17 +0000 (06:46 +0100)