From 780882efcf3acfdc83261a6ce233c1a7a5769a14 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 19 Oct 2023 21:32:49 -0700 Subject: [PATCH] do not check for query params to be signed headers (#18283) x-amz-signed-headers is meant for HTTP headers only not for query params, using that to verify things further can lead to failure. The generated presigned URL with custom metadata is already kosher (tamper proof). fixes #18281 --- cmd/signature-v4-utils.go | 10 ---------- cmd/signature-v4-utils_test.go | 13 ------------- 2 files changed, 23 deletions(-) diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index 94e879cca..b520b23dd 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -273,15 +273,5 @@ func checkMetaHeaders(signedHeadersMap http.Header, r *http.Request) APIErrorCod } } - // check values from url, if no http header - for k, val := range r.Form { - if stringsHasPrefixFold(k, "x-amz-meta-") { - if signedHeadersMap.Get(http.CanonicalHeaderKey(k)) == val[0] { - continue - } - return ErrUnsignedHeaders - } - } - return ErrNone } diff --git a/cmd/signature-v4-utils_test.go b/cmd/signature-v4-utils_test.go index b5893cc71..be724ec35 100644 --- a/cmd/signature-v4-utils_test.go +++ b/cmd/signature-v4-utils_test.go @@ -394,17 +394,4 @@ func TestCheckMetaHeaders(t *testing.T) { if errCode != ErrNone { t.Fatalf("Expected the APIErrorCode to be %d, but got %d", ErrNone, errCode) } - - // Add extra metadata in url values - r, err = http.NewRequest(http.MethodPut, "http://play.min.io:9000?x-amz-meta-test=test&x-amz-meta-extension=png&x-amz-meta-name=imagepng&x-amz-meta-clone=fail", nil) - if err != nil { - t.Fatal("Unable to create http.Request :", err) - } - - r.ParseForm() - // calling the function being tested. - errCode = checkMetaHeaders(signedHeadersMap, r) - if errCode != ErrUnsignedHeaders { - t.Fatalf("Expected the APIErrorCode to be %d, but got %d", ErrUnsignedHeaders, errCode) - } }