self-hosted/minio
self-hosted/minio
1
0
Fork 0
mirror of https://github.com/minio/minio synced 2024-10-06 16:09:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

do not check for query params to be signed headers (#18283)

Browse source 
x-amz-signed-headers is meant for HTTP headers only
not for query params, using that to verify things
further can lead to failure.

The generated presigned URL with custom metadata
is already kosher (tamper proof).

fixes #18281
This commit is contained in:
Harshavardhana 2023-10-19 21:32:49 -07:00 committed by GitHub
parent c5636143c6
commit 780882efcf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 0 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
cmd/signature-v4-utils.go
View file

@ -273,15 +273,5 @@ func checkMetaHeaders(signedHeadersMap http.Header, r *http.Request) APIErrorCod
}
}
// check values from url, if no http header
for k, val := range r.Form {
if stringsHasPrefixFold(k, "x-amz-meta-") {
if signedHeadersMap.Get(http.CanonicalHeaderKey(k)) == val[0] {
continue
}
return ErrUnsignedHeaders
}
}
return ErrNone
}

13
cmd/signature-v4-utils_test.go
View file

@ -394,17 +394,4 @@ func TestCheckMetaHeaders(t *testing.T) {
if errCode != ErrNone {
t.Fatalf("Expected the APIErrorCode to be %d, but got %d", ErrNone, errCode)
}
// Add extra metadata in url values
r, err = http.NewRequest(http.MethodPut, "http://play.min.io:9000?x-amz-meta-test=test&x-amz-meta-extension=png&x-amz-meta-name=imagepng&x-amz-meta-clone=fail", nil)
if err != nil {
t.Fatal("Unable to create http.Request :", err)
}
r.ParseForm()
// calling the function being tested.
errCode = checkMetaHeaders(signedHeadersMap, r)
if errCode != ErrUnsignedHeaders {
t.Fatalf("Expected the APIErrorCode to be %d, but got %d", ErrUnsignedHeaders, errCode)
}
}