mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
parent
8cb6184f1d
commit
88286cf8d0
@ -222,14 +222,6 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
|
||||
return errCode
|
||||
}
|
||||
|
||||
// Construct new query.
|
||||
query := make(url.Values)
|
||||
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" {
|
||||
query.Set(xhttp.AmzContentSha256, hashedPayload)
|
||||
}
|
||||
|
||||
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
|
||||
|
||||
// If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the
|
||||
// request should still be allowed.
|
||||
if pSignValues.Date.After(UTCNow().Add(globalMaxSkewTime)) {
|
||||
@ -244,6 +236,20 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
|
||||
t := pSignValues.Date
|
||||
expireSeconds := int(pSignValues.Expires / time.Second)
|
||||
|
||||
// Construct new query.
|
||||
query := make(url.Values)
|
||||
clntHashedPayload := req.URL.Query().Get(xhttp.AmzContentSha256)
|
||||
if clntHashedPayload != "" {
|
||||
query.Set(xhttp.AmzContentSha256, hashedPayload)
|
||||
}
|
||||
|
||||
token := req.URL.Query().Get(xhttp.AmzSecurityToken)
|
||||
if token != "" {
|
||||
query.Set(xhttp.AmzSecurityToken, cred.SessionToken)
|
||||
}
|
||||
|
||||
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
|
||||
|
||||
// Construct the query.
|
||||
query.Set(xhttp.AmzDate, t.Format(iso8601Format))
|
||||
query.Set(xhttp.AmzExpires, strconv.Itoa(expireSeconds))
|
||||
@ -262,6 +268,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
|
||||
|
||||
if strings.Contains(key, "x-amz-server-side-") {
|
||||
query.Set(k, v[0])
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.HasPrefix(key, "x-amz") {
|
||||
@ -290,10 +297,12 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
|
||||
return ErrSignatureDoesNotMatch
|
||||
}
|
||||
// Verify if sha256 payload query is same.
|
||||
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" {
|
||||
if req.URL.Query().Get(xhttp.AmzContentSha256) != query.Get(xhttp.AmzContentSha256) {
|
||||
return ErrContentSHA256Mismatch
|
||||
}
|
||||
if clntHashedPayload != "" && clntHashedPayload != query.Get(xhttp.AmzContentSha256) {
|
||||
return ErrContentSHA256Mismatch
|
||||
}
|
||||
// Verify if security token is correct.
|
||||
if token != "" && subtle.ConstantTimeCompare([]byte(token), []byte(cred.SessionToken)) != 1 {
|
||||
return ErrInvalidToken
|
||||
}
|
||||
|
||||
/// Verify finally if signature is same.
|
||||
|
Loading…
Reference in New Issue
Block a user