From: Matt Benjamin <mbenjamin@redhat.com>
Date: Fri, 27 Mar 2020 17:13:48 +0000 (+0100)
Subject: rgw: reject unauthenticated response-header actions
X-Git-Tag: archive/raspbian/12.2.11+dfsg1-2.1+rpi1+deb10u1^2~17
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e3be5c9232f2bfb5628195e2f2ffeb3bd617c9e2;p=ceph.git

rgw: reject unauthenticated response-header actions

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
Reviewed-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)

Origin: upstream, https://github.com/ceph/ceph/pull/34504/commits/ba0790a01ba5252db1ebc299db6e12cd758d0ff9

Gbp-Pq: Name CVE-2020-1760-1.patch
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 6534e254e..547e9056f 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -268,6 +268,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
       bool exists;
       string val = s->info.args.get(p->param, &exists);
       if (exists) {
+	/* reject unauthenticated response header manipulation, see
+	 * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
+	if (s->auth.identity->is_anonymous()) {
+	  return -EPERM;
+	}
 	if (strcmp(p->param, "response-content-type") != 0) {
 	  response_attrs[p->http_attr] = val;
 	} else {