make sure to validate signature unsigned trailer stream (#21103)

This is a security incident fix, it would seem like since the implementation of unsigned payload trailer on PUTs, we do not validate the signature of the incoming request. The signature can be invalid and is totally being ignored, this in-turn allows any arbitrary secret to upload objects given the user has "WRITE" permissions on the bucket, since acces-key is a public information in general exposes these potential users with WRITE on the bucket to be used by any arbitrary client to make a fake request to MinIO the signature under Authorization: header is totally ignored. A test has been added to cover this scenario and fail appropriately.
2025-11-07 12:52:58 -05:00 · 2025-04-03 07:55:52 -07:00
parent 01447d2438
commit 8c70975283
5 changed files with 69 additions and 40 deletions
--- a/cmd/streaming-v4-unsigned.go
+++ b/cmd/streaming-v4-unsigned.go
@@ -29,7 +29,12 @@ import (
 // newUnsignedV4ChunkedReader returns a new s3UnsignedChunkedReader that translates the data read from r
 // out of HTTP "chunked" format before returning it.
 // The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.
-func newUnsignedV4ChunkedReader(req *http.Request, trailer bool) (io.ReadCloser, APIErrorCode) {
+func newUnsignedV4ChunkedReader(req *http.Request, trailer bool, signature bool) (io.ReadCloser, APIErrorCode) {
+	if signature {
+		if errCode := doesSignatureMatch(unsignedPayloadTrailer, req, globalSite.Region(), serviceS3); errCode != ErrNone {
+			return nil, errCode
+		}
+	}
 	if trailer {
 		// Discard anything unsigned.
 		req.Trailer = make(http.Header)