From: Casey Bodley Date: Tue, 26 May 2020 19:03:03 +0000 (-0400) Subject: rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader X-Git-Tag: archive/raspbian/12.2.11+dfsg1-2.1+rpi1+deb10u1^2~14 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=3b43f29ad27324d3b0873f64623a2ef60db01f66;p=ceph.git rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader the values in the element are sent back to clients in a Access-Control-Expose-Headers response header. if the values are allowed to have newlines in them, they can be used to inject arbitrary response headers this issue only affects s3, which gets these values from an xml document in swift, they're given in the request header X-Container-Meta-Access-Control-Expose-Headers, so the value itself cannot contain newlines Signed-off-by: Casey Bodley Reported-by: Adam Mohammed Origin: upstream, https://github.com/ceph/ceph/pull/35773 Gbp-Pq: Name CVE-2020-10753.patch --- diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index 3081dc00d..2d9863bb2 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -143,11 +143,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) { void RGWCORSRule::format_exp_headers(string& s) { s = ""; - for(list::iterator it = exposable_hdrs.begin(); - it != exposable_hdrs.end(); ++it) { - if (s.length() > 0) - s.append(","); - s.append((*it)); + for (const auto& header : exposable_hdrs) { + if (s.length() > 0) + s.append(","); + // these values are sent to clients in a 'Access-Control-Expose-Headers' + // response header, so we escape '\n' to avoid header injection + boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n"); } }