Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty

Origin: https://github.com/ceph/ceph/commit/bef59f17293e6e93af025eba1e00646d0b1a2bf0
Bug-Debian: https://bugs.debian.org/1120797
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47866

The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The  code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash.

Fixes: https://tracker.ceph.com/issues/72669
Signed-off-by: Suyash Dongre <suyashd999@gmail.com>
Gbp-Pq: Name Check-if-HTTP_X_AMZ_COPY_SOURCE-header-is-empty.patch

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index f3660d30b181f3d0977f623471ed66e40b2fc945..e2d36a50bdfa31030b886d8b07c9998a222215c2 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -5166,6 +5166,9 @@ bool RGWCopyObj::parse_copy_location(const std::string_view& url_src,
     params_str = url_src.substr(pos + 1);
   }
 
+  if (name_str.empty()) {
+    return false;
+  }
   if (name_str[0] == '/') // trim leading slash
     name_str.remove_prefix(1);