diff --git a/cmd/api-router.go b/cmd/api-router.go index 3b7751888..76a3ddc28 100644 --- a/cmd/api-router.go +++ b/cmd/api-router.go @@ -245,10 +245,10 @@ func registerAPIRouter(router *mux.Router) { router.Methods(http.MethodPut).Path("/{object:.+}"). HeadersRegexp(xhttp.AmzCopySource, ".*?(\\/|%2F).*?"). HandlerFunc(collectAPIStats("copyobjectpart", maxClients(gz(httpTraceAll(api.CopyObjectPartHandler))))). - Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}") + Queries("partNumber", "{partNumber:.*}", "uploadId", "{uploadId:.*}") // PutObjectPart router.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc( - collectAPIStats("putobjectpart", maxClients(gz(httpTraceHdrs(api.PutObjectPartHandler))))).Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}") + collectAPIStats("putobjectpart", maxClients(gz(httpTraceHdrs(api.PutObjectPartHandler))))).Queries("partNumber", "{partNumber:.*}", "uploadId", "{uploadId:.*}") // ListObjectParts router.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc( collectAPIStats("listobjectparts", maxClients(gz(httpTraceAll(api.ListObjectPartsHandler))))).Queries("uploadId", "{uploadId:.*}") diff --git a/cmd/object-handlers_test.go b/cmd/object-handlers_test.go index 97ce3574c..e603e4c25 100644 --- a/cmd/object-handlers_test.go +++ b/cmd/object-handlers_test.go @@ -3693,6 +3693,27 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin expectedAPIError: ErrInvalidAccessKeyID, }, + // Case where part number is invalid. + 9: { + objectName: testObject, + content: "hello", + partNumber: "0", + fault: None, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, + + expectedAPIError: ErrInvalidPart, + }, + 10: { + objectName: testObject, + content: "hello", + partNumber: "-10", + fault: None, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, + + expectedAPIError: ErrInvalidPart, + }, } reqV2Str := "V2 Signed HTTP request" diff --git a/cmd/object-multipart-handlers.go b/cmd/object-multipart-handlers.go index 6cf110cb1..7f9e366ab 100644 --- a/cmd/object-multipart-handlers.go +++ b/cmd/object-multipart-handlers.go @@ -285,7 +285,7 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt partIDString := r.Form.Get(xhttp.PartNumber) partID, err := strconv.Atoi(partIDString) - if err != nil { + if err != nil || partID <= 0 { writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL) return } @@ -615,7 +615,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http partIDString := r.Form.Get(xhttp.PartNumber) partID, err := strconv.Atoi(partIDString) - if err != nil { + if err != nil || partID <= 0 { writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPart), r.URL) return } diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index c3ba383e8..c08843752 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -2008,10 +2008,10 @@ func registerBucketLevelFunc(bucket *mux.Router, api objectAPIHandlers, apiFunct bucket.Methods(http.MethodPost).Path("/{object:.+}").HandlerFunc(api.NewMultipartUploadHandler).Queries("uploads", "") case "CopyObjectPart": // Register CopyObjectPart handler. - bucket.Methods(http.MethodPut).Path("/{object:.+}").HeadersRegexp("X-Amz-Copy-Source", ".*?(\\/|%2F).*?").HandlerFunc(api.CopyObjectPartHandler).Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}") + bucket.Methods(http.MethodPut).Path("/{object:.+}").HeadersRegexp("X-Amz-Copy-Source", ".*?(\\/|%2F).*?").HandlerFunc(api.CopyObjectPartHandler).Queries("partNumber", "{partNumber:.*}", "uploadId", "{uploadId:.*}") case "PutObjectPart": // Register PutObjectPart handler. - bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(api.PutObjectPartHandler).Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}") + bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(api.PutObjectPartHandler).Queries("partNumber", "{partNumber:.*}", "uploadId", "{uploadId:.*}") case "ListObjectParts": // Register ListObjectParts handler. bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(api.ListObjectPartsHandler).Queries("uploadId", "{uploadId:.*}")