Fail PutBucketPolicy if conditions are incompatible with actions. (#3659)

2025-11-07 21:02:58 -05:00 · 2017-01-30 22:50:16 +05:30
parent 9b6bcb30d9
commit 2665aba555
3 changed files with 52 additions and 29 deletions
--- a/cmd/bucket-policy-handlers.go
+++ b/cmd/bucket-policy-handlers.go
@@ -97,6 +97,9 @@ func bucketPolicyConditionMatch(conditions map[string]set.StringSet, statement p
 	// - s3:max-keys
 	// - s3:aws-Referer

+	// The following loop evaluates the logical AND of all the
+	// conditions in the statement. Note: we can break out of the
+	// loop if and only if a condition evaluates to false.
 	for condition, conditionKeyVal := range statement.Conditions {
 		prefixConditon := conditionKeyVal["s3:prefix"]
 		maxKeyCondition := conditionKeyVal["s3:max-keys"]
@@ -126,13 +129,17 @@ func bucketPolicyConditionMatch(conditions map[string]set.StringSet, statement p
 			}
 			// wildcard match of referer in statement was not empty.
 			// StringLike has a match, i.e, condition evaluates to true.
+			refererFound := false
 			for referer := range conditions["referer"] {
 				if !awsReferers.FuncMatch(refererMatch, referer).IsEmpty() {
-					return true
+					refererFound = true
+					break
 				}
 			}
 			// No matching referer found, so the condition is false.
-			return false
+			if !refererFound {
+				return false
+			}
 		} else if condition == "StringNotLike" {
 			awsReferers := conditionKeyVal["aws:Referer"]
 			// Skip empty condition, it is trivially satisfied.
@@ -146,11 +153,9 @@ func bucketPolicyConditionMatch(conditions map[string]set.StringSet, statement p
 					return false
 				}
 			}
-			// No matching referer found, so the condition is true.
-			return true
 		}
 	}
-	// No conditions were present in the statement, so trivially true (always).
+
 	return true
 }