From 004f1e2f66c99572974106dffbb333211a1b7b5c Mon Sep 17 00:00:00 2001 From: Klaus Post Date: Tue, 1 Aug 2023 08:45:57 -0700 Subject: [PATCH] Fix trailing header signature mismatch (#17774) Seems like clients may omit a newline at the end of the trailer chunk. Each header should end with a newline. Add that if missing. Fixes #17662 --- cmd/streaming-signature-v4.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cmd/streaming-signature-v4.go b/cmd/streaming-signature-v4.go index bbf662af2..7f673ae97 100644 --- a/cmd/streaming-signature-v4.go +++ b/cmd/streaming-signature-v4.go @@ -443,6 +443,9 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) { // readTrailers will read all trailers and populate cr.trailers with actual values. func (cr *s3ChunkedReader) readTrailers() error { + if cr.debug { + fmt.Printf("pre trailer sig: %s\n", cr.seedSignature) + } var valueBuffer bytes.Buffer // Read value for { @@ -507,6 +510,16 @@ func (cr *s3ChunkedReader) readTrailers() error { } return errMalformedEncoding } + + // TODO: It seems like we may have to be prepared to rewrite and sort trailing headers: + // https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html + + // Any value must end with a newline. + // Not all clients send that. + trailerRaw := valueBuffer.Bytes() + if len(trailerRaw) > 0 && trailerRaw[len(trailerRaw)-1] != '\n' { + valueBuffer.Write([]byte{'\n'}) + } sig = sig[len("x-amz-trailer-signature:"):] sig = bytes.TrimSpace(sig) cr.chunkSHA256Writer.Write(valueBuffer.Bytes())