MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-04 03:40:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: post policy request security bypass (#16849)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2023-03-19 21:15:20 -07:00 committed by GitHub
parent 440ad20c1d
commit 67f4ba154a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/api-router.go
View File

@ -434,8 +434,9 @@ func registerAPIRouter(router *mux.Router) {
router.Methods(http.MethodHead).HandlerFunc( router.Methods(http.MethodHead).HandlerFunc(
collectAPIStats("headbucket", maxClients(gz(httpTraceAll(api.HeadBucketHandler))))) collectAPIStats("headbucket", maxClients(gz(httpTraceAll(api.HeadBucketHandler)))))
// PostPolicy // PostPolicy
router.Methods(http.MethodPost).HeadersRegexp(xhttp.ContentType, "multipart/form-data*").HandlerFunc( router.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, _ *mux.RouteMatch) bool {
collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler))))) return isRequestPostPolicySignatureV4(r)
}).HandlerFunc(collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler)))))
// DeleteMultipleObjects // DeleteMultipleObjects
router.Methods(http.MethodPost).HandlerFunc( router.Methods(http.MethodPost).HandlerFunc(
collectAPIStats("deletemultipleobjects", maxClients(gz(httpTraceAll(api.DeleteMultipleObjectsHandler))))).Queries("delete", "") collectAPIStats("deletemultipleobjects", maxClients(gz(httpTraceAll(api.DeleteMultipleObjectsHandler))))).Queries("delete", "")

8
cmd/auth-handler.go
View File

@ -25,6 +25,7 @@ import (
"encoding/hex" "encoding/hex"
"errors" "errors"
"io" "io"
"mime"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -74,8 +75,11 @@ func isRequestPresignedSignatureV2(r *http.Request) bool {
// Verify if request has AWS Post policy Signature Version '4'. // Verify if request has AWS Post policy Signature Version '4'.
func isRequestPostPolicySignatureV4(r *http.Request) bool { func isRequestPostPolicySignatureV4(r *http.Request) bool {
return strings.Contains(r.Header.Get(xhttp.ContentType), "multipart/form-data") && mediaType, _, err := mime.ParseMediaType(r.Header.Get(xhttp.ContentType))
r.Method == http.MethodPost if err != nil {
return false
}
return mediaType == "multipart/form-data" && r.Method == http.MethodPost
} }
// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation. // Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.