mirror of
https://github.com/minio/minio.git
synced 2024-12-23 21:55:53 -05:00
allow disabling strict sha256 validation with some broken clients (#13383)
with some broken clients allow non-strict validation of sha256 when ContentLength > 0, it has been found in the wild some applications that need this behavior. This shall be only allowed if `--no-compat` is used.
This commit is contained in:
parent
0c48b1d993
commit
60f961dfe8
@ -58,9 +58,9 @@ func TestFSCleanupMultipartUploadsInRoutine(t *testing.T) {
|
||||
}, obj.SetDriveCounts())
|
||||
|
||||
defer func() {
|
||||
globalAPIConfig = apiConfig{
|
||||
listQuorum: 3,
|
||||
}
|
||||
globalAPIConfig.init(api.Config{
|
||||
ListQuorum: "optimal",
|
||||
}, obj.SetDriveCounts())
|
||||
}()
|
||||
|
||||
var cleanupWg sync.WaitGroup
|
||||
|
@ -587,6 +587,10 @@ func serverMain(ctx *cli.Context) {
|
||||
logStartupMessage(color.RedBold(msg))
|
||||
}
|
||||
|
||||
if !globalCLIContext.StrictS3Compat {
|
||||
logStartupMessage(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
|
||||
}
|
||||
|
||||
if globalBrowserEnabled {
|
||||
globalConsoleSrv, err = initConsoleServer()
|
||||
if err != nil {
|
||||
|
@ -55,9 +55,30 @@ func skipContentSha256Cksum(r *http.Request) bool {
|
||||
v, ok = r.Header[xhttp.AmzContentSha256]
|
||||
}
|
||||
|
||||
// Skip if no header was set.
|
||||
if !ok {
|
||||
return true
|
||||
}
|
||||
|
||||
// If x-amz-content-sha256 is set and the value is not
|
||||
// 'UNSIGNED-PAYLOAD' we should validate the content sha256.
|
||||
return !(ok && v[0] != unsignedPayload)
|
||||
switch v[0] {
|
||||
case unsignedPayload:
|
||||
return true
|
||||
case emptySHA256:
|
||||
// some broken clients set empty-sha256
|
||||
// with > 0 content-length in the body,
|
||||
// we should skip such clients and allow
|
||||
// blindly such insecure clients only if
|
||||
// S3 strict compatibility is disabled.
|
||||
if r.ContentLength > 0 && !globalCLIContext.StrictS3Compat {
|
||||
// We return true only in situations when
|
||||
// deployment has asked MinIO to allow for
|
||||
// such broken clients and content-length > 0.
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Returns SHA256 for calculating canonical-request.
|
||||
|
@ -50,7 +50,7 @@ const (
|
||||
EnvAPICorsAllowOrigin = "MINIO_API_CORS_ALLOW_ORIGIN"
|
||||
EnvAPIRemoteTransportDeadline = "MINIO_API_REMOTE_TRANSPORT_DEADLINE"
|
||||
EnvAPIListQuorum = "MINIO_API_LIST_QUORUM"
|
||||
EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS"
|
||||
EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS" // default "on"
|
||||
EnvAPIReplicationWorkers = "MINIO_API_REPLICATION_WORKERS"
|
||||
EnvAPIReplicationFailedWorkers = "MINIO_API_REPLICATION_FAILED_WORKERS"
|
||||
EnvAPITransitionWorkers = "MINIO_API_TRANSITION_WORKERS"
|
||||
|
Loading…
Reference in New Issue
Block a user