From: Adam C. Emerson <aemerson@redhat.com>
Date: Fri, 8 Jul 2022 18:58:16 +0000 (-0400)
Subject: CVE-2022-3854: rgw: Guard against malformed bucket URLs
X-Git-Tag: archive/raspbian/16.2.11+ds-2+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7aeeef72dd6a1edc81439d9a030d658138e241b9;p=ceph.git

CVE-2022-3854: rgw: Guard against malformed bucket URLs

Fixes: https://tracker.ceph.com/issues/55765
Fixes: https://tracker.ceph.com/issues/56586
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Origin: upstream, https://github.com/ceph/ceph/pull/47194/commits/9746e8011ff1de6de7dba9c0041e28a16c8f6828.patch
Bug-Debian: https://bugs.debian.org/1027151
Last-Update: 2022-01-09

Misplaced colons can result in radosgw thinking is has a bucket URL
but with no bucket name, leading to a crash later on.

Gbp-Pq: Name CVE-2022-3854_1_rgw_Guard_against_malformed_bucket_URLs.patch
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 3d09a1e00..7ca5f7add 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1265,6 +1265,11 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct re
 
 bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, const int perm)
 {
+  if (rgw::sal::RGWBucket::empty(s->bucket)) {
+    // request is missing a bucket name
+    return false;
+  }
+
   perm_state_from_req_state ps(s);
 
   if (!verify_requester_payer_permission(&ps))