From ed7c2d0a58fb87201777fb4097d5a2b650593b31 Mon Sep 17 00:00:00 2001 From: wangzengliang1 Date: Mon, 30 Jan 2023 09:32:19 +0800 Subject: [PATCH] fix CVE-2022-3854 --- src/rgw/rgw_common.cc | 5 +++++ src/rgw/rgw_sal.h | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index b44d4bf..ce7b94c 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1279,6 +1279,11 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct re bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op) { + if (rgw::sal::RGWBucket::empty(s->bucket)) { + // request is missing a bucket name + return false; + } + perm_state_from_req_state ps(s); return verify_bucket_permission(dpp, diff --git a/src/rgw/rgw_sal.h b/src/rgw/rgw_sal.h index 41da8bc..197f975 100644 --- a/src/rgw/rgw_sal.h +++ b/src/rgw/rgw_sal.h @@ -279,8 +279,12 @@ class RGWBucket { void convert(cls_user_bucket_entry *b) const { ent.convert(b); } + + /** Check if a Bucket pointer is empty */ + static bool empty(const RGWBucket* b) { return (!b || b->empty()); } + /** Check if a Bucket unique pointer is empty */ + static bool empty(const std::unique_ptr& b) { return (!b || b->empty()); } - static bool empty(RGWBucket* b) { return (!b || b->empty()); } virtual std::unique_ptr clone() = 0; /* dang - This is temporary, until the API is completed */ -- 2.13.0.windows.1