MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

allow disabling strict sha256 validation with some broken clients (#13383)

Browse Source 
with some broken clients allow non-strict validation
of sha256 when ContentLength > 0, it has been found in
the wild some applications that need this behavior. This
shall be only allowed if `--no-compat` is used.
This commit is contained in:
Harshavardhana 2021-10-08 12:40:34 -07:00 committed by GitHub
parent 0c48b1d993
commit 60f961dfe8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/fs-v1-multipart_test.go
View File

@ -58,9 +58,9 @@ func TestFSCleanupMultipartUploadsInRoutine(t *testing.T) {
}, obj.SetDriveCounts()) }, obj.SetDriveCounts())
defer func() { defer func() {
globalAPIConfig = apiConfig{ globalAPIConfig.init(api.Config{
listQuorum: 3, ListQuorum: "optimal",
} }, obj.SetDriveCounts())
}() }()
var cleanupWg sync.WaitGroup var cleanupWg sync.WaitGroup

4
cmd/server-main.go
View File

@ -587,6 +587,10 @@ func serverMain(ctx *cli.Context) {
logStartupMessage(color.RedBold(msg)) logStartupMessage(color.RedBold(msg))
} }
if !globalCLIContext.StrictS3Compat {
logStartupMessage(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
}
if globalBrowserEnabled { if globalBrowserEnabled {
globalConsoleSrv, err = initConsoleServer() globalConsoleSrv, err = initConsoleServer()
if err != nil { if err != nil {

23
cmd/signature-v4-utils.go
View File

@ -55,9 +55,30 @@ func skipContentSha256Cksum(r *http.Request) bool {
v, ok = r.Header[xhttp.AmzContentSha256] v, ok = r.Header[xhttp.AmzContentSha256]
} }
// Skip if no header was set.
if !ok {
return true
}
// If x-amz-content-sha256 is set and the value is not // If x-amz-content-sha256 is set and the value is not
// 'UNSIGNED-PAYLOAD' we should validate the content sha256. // 'UNSIGNED-PAYLOAD' we should validate the content sha256.
return !(ok && v[0] != unsignedPayload) switch v[0] {
case unsignedPayload:
return true
case emptySHA256:
// some broken clients set empty-sha256
// with > 0 content-length in the body,
// we should skip such clients and allow
// blindly such insecure clients only if
// S3 strict compatibility is disabled.
if r.ContentLength > 0 && !globalCLIContext.StrictS3Compat {
// We return true only in situations when
// deployment has asked MinIO to allow for
// such broken clients and content-length > 0.
return true
}
}
return false
} }
// Returns SHA256 for calculating canonical-request. // Returns SHA256 for calculating canonical-request.

2
internal/config/api/api.go
View File

@ -50,7 +50,7 @@ const (
EnvAPICorsAllowOrigin = "MINIO_API_CORS_ALLOW_ORIGIN" EnvAPICorsAllowOrigin = "MINIO_API_CORS_ALLOW_ORIGIN"
EnvAPIRemoteTransportDeadline = "MINIO_API_REMOTE_TRANSPORT_DEADLINE" EnvAPIRemoteTransportDeadline = "MINIO_API_REMOTE_TRANSPORT_DEADLINE"
EnvAPIListQuorum = "MINIO_API_LIST_QUORUM" EnvAPIListQuorum = "MINIO_API_LIST_QUORUM"
EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS" EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS" // default "on"
EnvAPIReplicationWorkers = "MINIO_API_REPLICATION_WORKERS" EnvAPIReplicationWorkers = "MINIO_API_REPLICATION_WORKERS"
EnvAPIReplicationFailedWorkers = "MINIO_API_REPLICATION_FAILED_WORKERS" EnvAPIReplicationFailedWorkers = "MINIO_API_REPLICATION_FAILED_WORKERS"
EnvAPITransitionWorkers = "MINIO_API_TRANSITION_WORKERS" EnvAPITransitionWorkers = "MINIO_API_TRANSITION_WORKERS"