Fix trailing header signature mismatch (#17774)

Seems like clients may omit a newline at the end of the trailer chunk. Each header should end with a newline. Add that if missing.

Fixes #17662
This commit is contained in:
Klaus Post 2023-08-01 08:45:57 -07:00 committed by GitHub
parent 2fa561f22e
commit 004f1e2f66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -443,6 +443,9 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
// readTrailers will read all trailers and populate cr.trailers with actual values.
func (cr *s3ChunkedReader) readTrailers() error {
if cr.debug {
fmt.Printf("pre trailer sig: %s\n", cr.seedSignature)
}
var valueBuffer bytes.Buffer
// Read value
for {
@ -507,6 +510,16 @@ func (cr *s3ChunkedReader) readTrailers() error {
}
return errMalformedEncoding
}
// TODO: It seems like we may have to be prepared to rewrite and sort trailing headers:
// https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html
// Any value must end with a newline.
// Not all clients send that.
trailerRaw := valueBuffer.Bytes()
if len(trailerRaw) > 0 && trailerRaw[len(trailerRaw)-1] != '\n' {
valueBuffer.Write([]byte{'\n'})
}
sig = sig[len("x-amz-trailer-signature:"):]
sig = bytes.TrimSpace(sig)
cr.chunkSHA256Writer.Write(valueBuffer.Bytes())