ceph/0016-CVE-2020-10753-1.patch

From 46817f30cee60bc5df8354ab326762e7c783fe2c Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 26 May 2020 15:03:03 -0400
Subject: [PATCH] rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader

the values in the <ExposeHeader> element are sent back to clients in a
Access-Control-Expose-Headers response header. if the values are allowed
to have newlines in them, they can be used to inject arbitrary response
headers

this issue only affects s3, which gets these values from an xml document

in swift, they're given in the request header
X-Container-Meta-Access-Control-Expose-Headers, so the value itself
cannot contain newlines

Signed-off-by: Casey Bodley <cbodley@redhat.com>
Reported-by: Adam Mohammed <amohammed@linode.com>
---
 src/rgw/rgw_cors.cc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index 07dbab5d3e2..0b3e4f39455 100644
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {
 
 void RGWCORSRule::format_exp_headers(string& s) {
   s = "";
-  for(list<string>::iterator it = exposable_hdrs.begin();
-      it != exposable_hdrs.end(); ++it) {
-      if (s.length() > 0)
-        s.append(",");
-      s.append((*it));
+  for (const auto& header : exposable_hdrs) {
+    if (s.length() > 0)
+      s.append(",");
+    // these values are sent to clients in a 'Access-Control-Expose-Headers'
+    // response header, so we escape '\n' to avoid header injection
+    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
   }
 }
 
-- 
2.23.0
fix CVE-2020-10753 CVE-2021-3524 CVE-2020-1760 Signed-off-by: chixinze <xmdxcxz@gmail.com> (cherry picked from commit ac0cf1417005186b4542f7e56d6815605e6d2c5c) 2021-07-26 16:47:18 +08:00			`From 46817f30cee60bc5df8354ab326762e7c783fe2c Mon Sep 17 00:00:00 2001`
			`From: Casey Bodley <cbodley@redhat.com>`
			`Date: Tue, 26 May 2020 15:03:03 -0400`
			`Subject: [PATCH] rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader`

			`the values in the <ExposeHeader> element are sent back to clients in a`
			`Access-Control-Expose-Headers response header. if the values are allowed`
			`to have newlines in them, they can be used to inject arbitrary response`
			`headers`

			`this issue only affects s3, which gets these values from an xml document`

			`in swift, they're given in the request header`
			`X-Container-Meta-Access-Control-Expose-Headers, so the value itself`
			`cannot contain newlines`

			`Signed-off-by: Casey Bodley <cbodley@redhat.com>`
			`Reported-by: Adam Mohammed <amohammed@linode.com>`
			`---`
			`src/rgw/rgw_cors.cc \| 11 ++++++-----`
			`1 file changed, 6 insertions(+), 5 deletions(-)`

			`diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc`
			`index 07dbab5d3e2..0b3e4f39455 100644`
			`--- a/src/rgw/rgw_cors.cc`
			`+++ b/src/rgw/rgw_cors.cc`
			`@@ -144,11 +144,12 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {`

			`void RGWCORSRule::format_exp_headers(string& s) {`
			`s = "";`
			`- for(list<string>::iterator it = exposable_hdrs.begin();`
			`- it != exposable_hdrs.end(); ++it) {`
			`- if (s.length() > 0)`
			`- s.append(",");`
			`- s.append((*it));`
			`+ for (const auto& header : exposable_hdrs) {`
			`+ if (s.length() > 0)`
			`+ s.append(",");`
			`+ // these values are sent to clients in a 'Access-Control-Expose-Headers'`
			`+ // response header, so we escape '\n' to avoid header injection`
			`+ boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");`
			`}`
			`}`

			`--`
			`2.23.0`