代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/ceph 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 763aebb94678018f89427137ffbc0c5205b1edc1 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 4 May 2021 08:32:58 -0400
Subject: [PATCH] rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader
follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
well
Fixes: CVE-2021-3524
Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)
---
src/rgw/rgw_cors.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index 0b3e4f39455..bfe83d6420e 100644
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
if (s.length() > 0)
s.append(",");
// these values are sent to clients in a 'Access-Control-Expose-Headers'
- // response header, so we escape '\n' to avoid header injection
- boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+ // response header, so we escape '\n' and '\r' to avoid header injection
+ std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+ boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
}
}
--
2.23.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手