From 9205434ed3fdfc5db6fbd6cdb444dccf46f5af02 Mon Sep 17 00:00:00 2001 From: jiuker <2818723467@qq.com> Date: Sat, 20 Apr 2024 00:45:54 +0800 Subject: [PATCH] fix: ignore signaturev2 for policy header check (#19551) --- cmd/post-policy_test.go | 1 - cmd/postpolicyform.go | 5 +++++ cmd/signature-v4.go | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/cmd/post-policy_test.go b/cmd/post-policy_test.go index a694fef86..3c40da023 100644 --- a/cmd/post-policy_test.go +++ b/cmd/post-policy_test.go @@ -610,7 +610,6 @@ func newPostRequestV2(endPoint, bucketName, objectName string, accessKey, secret "key": objectName + "/${filename}", "policy": encodedPolicy, "signature": signature, - "X-Amz-Ignore-signature": "", "X-Amz-Ignore-AWSAccessKeyId": "", } diff --git a/cmd/postpolicyform.go b/cmd/postpolicyform.go index eab146d17..f03ca22ed 100644 --- a/cmd/postpolicyform.go +++ b/cmd/postpolicyform.go @@ -347,6 +347,11 @@ func checkPostPolicy(formValues http.Header, postPolicyForm PostPolicyForm) erro } delete(checkHeader, formCanonicalName) } + // For SignV2 - Signature field will be ignored + // Policy is generated from Signature with other fields, so it should be ignored + if _, ok := formValues[xhttp.AmzSignatureV2]; ok { + delete(checkHeader, xhttp.AmzSignatureV2) + } if len(checkHeader) != 0 { logKeys := make([]string, 0, len(checkHeader)) diff --git a/cmd/signature-v4.go b/cmd/signature-v4.go index ad292ea70..76a6db271 100644 --- a/cmd/signature-v4.go +++ b/cmd/signature-v4.go @@ -154,7 +154,7 @@ func getSignature(signingKey []byte, stringToSign string) string { // Check to see if Policy is signed correctly. func doesPolicySignatureMatch(formValues http.Header) (auth.Credentials, APIErrorCode) { // For SignV2 - Signature field will be valid - if _, ok := formValues["Signature"]; ok { + if _, ok := formValues[xhttp.AmzSignatureV2]; ok { return doesPolicySignatureV2Match(formValues) } return doesPolicySignatureV4Match(formValues)