MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 13:39:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix authentication bypass against Admin-API (#5412)

Browse Source 
This change fixes an authentication bypass attack against the
minio Admin-API. Therefore the Admin-API rejects now all types of
requests except valid signature V2 and signature V4 requests - this
includes signature V2/V4 pre-signed requests.

Fixes #5411
This commit is contained in:
Andreas Auernhammer
2018-01-17 19:36:25 +01:00
committed by kannappanr
parent 24d9d7e5fa
commit 3f09c17bfe
3 changed files with 90 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/auth-handler.go
View File

@@ -18,6 +18,7 @@ package cmd
import (
"bytes"
"errors"
"io/ioutil"
"net/http"
"strings"
@@ -101,6 +102,19 @@ func getRequestAuthType(r *http.Request) authType {
return authTypeUnknown
}
// checkAdminRequestAuthType checks whether the request is a valid signature V2 or V4 request.
// It does not accept presigned or JWT or anonymous requests.
func checkAdminRequestAuthType(r *http.Request, region string) APIErrorCode {
s3Err := ErrAccessDenied
if getRequestAuthType(r) == authTypeSigned { // we only support V4 (no presign)
s3Err = isReqAuthenticated(r, region)
}
if s3Err != ErrNone {
errorIf(errors.New(getAPIError(s3Err).Description), "%s", dumpRequest(r))
}
return s3Err
}
func checkRequestAuthType(r *http.Request, bucket, policyAction, region string) APIErrorCode {
reqAuthType := getRequestAuthType(r)