From 5f243fde9a233d2448a1acb857dece8653c84eec Mon Sep 17 00:00:00 2001 From: Klaus Post Date: Tue, 1 Apr 2025 11:23:27 -0700 Subject: [PATCH] Fix anonymous unsigned trailing headers (#21095) Do not fail on anonymous requests with trailing headers. Fixes #21005 With modified minio-go (will send PR): ``` PUT /tbb/mc.exe HTTP/1.1 Host: 127.0.0.1:9001 User-Agent: MinIO (windows; amd64) minio-go/v7.0.90 mc/DEVELOPMENT.GOGET Content-Length: 44301288 Accept-Encoding: zstd,gzip Content-Encoding: aws-chunked Content-Type: application/x-msdownload X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER X-Amz-Date: 20250401T150402Z X-Amz-Decoded-Content-Length: 44295168 X-Amz-Trailer: x-amz-checksum-crc32 mc: HTTP/1.1 200 OK Content-Length: 0 Accept-Ranges: bytes Date: Tue, 01 Apr 2025 15:04:02 GMT Etag: "46273a30f232dc015ead1c0da8925c98" Server: MinIO Strict-Transport-Security: max-age=31536000; includeSubDomains Vary: Origin Vary: Accept-Encoding X-Amz-Checksum-Crc32: wElc/A== X-Amz-Id-2: 7987905dee74cdeb212432486a178e511309594cee7cb75f892cd53e35f09ea4 X-Amz-Request-Id: 18323A0F322B41C8 X-Content-Type-Options: nosniff X-Ratelimit-Limit: 2478 X-Ratelimit-Remaining: 2478 X-Xss-Protection: 1; mode=block ``` Tested on multipart uploads as well. --- cmd/auth-handler.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index dd4895910..53d285e4f 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -754,8 +754,14 @@ func isPutActionAllowed(ctx context.Context, atype authType, bucketName, objectN return ErrSignatureVersionNotSupported case authTypeSignedV2, authTypePresignedV2: cred, owner, s3Err = getReqAccessKeyV2(r) - case authTypeStreamingSigned, authTypePresigned, authTypeSigned, authTypeStreamingSignedTrailer, authTypeStreamingUnsignedTrailer: + case authTypeStreamingSigned, authTypePresigned, authTypeSigned, authTypeStreamingSignedTrailer: cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3) + case authTypeStreamingUnsignedTrailer: + cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3) + if s3Err == ErrMissingFields { + // Could be anonymous. cred + owner is zero value. + s3Err = ErrNone + } } if s3Err != ErrNone { return s3Err