Disallow SSE requests when object layer has encryption disabled (#6981)

2025-11-09 05:34:56 -05:00 · 2018-12-14 21:39:59 -08:00
parent b6f9b24b30
commit 7c9f934875
2 changed files with 40 additions and 7 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@@ -482,7 +482,14 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
 		writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r))
 		return
 	}
-
+	if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported
+		writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r))
+		return
+	}
+	if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) {
+		writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r))
+		return
+	}
 	bucket := mux.Vars(r)["bucket"]

 	// Require Content-Length to be set in the request