From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 4 May 2021 12:32:58 +0000 (-0400)
Subject: rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader
X-Git-Tag: archive/raspbian/12.2.11+dfsg1-2.1+rpi1+deb10u1^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=aba4664babc033b5c15d919388e7a68a1316317c;p=ceph.git

rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader

follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
well

Fixes: CVE-2021-3524

Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)

Origin: upstream, https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1

Gbp-Pq: Name CVE-2021-3524.patch
---

diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index 2d9863bb2..31f5b8257 100644
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -147,8 +147,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
     if (s.length() > 0)
       s.append(",");
     // these values are sent to clients in a 'Access-Control-Expose-Headers'
-    // response header, so we escape '\n' to avoid header injection
-    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+    // response header, so we escape '\n' and '\r' to avoid header injection
+    std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+    boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
   }
 }