fix: ignore signaturev2 for policy header check (#19551)

cmd/post-policy_test.go

@@ -610,7 +610,6 @@ func newPostRequestV2(endPoint, bucketName, objectName string, accessKey, secret
 		"key":                         objectName + "/${filename}",
 		"policy":                      encodedPolicy,
 		"signature":                   signature,
-		"X-Amz-Ignore-signature":      "",
 		"X-Amz-Ignore-AWSAccessKeyId": "",
 	}
 

cmd/postpolicyform.go

@@ -347,6 +347,11 @@ func checkPostPolicy(formValues http.Header, postPolicyForm PostPolicyForm) erro
 		}
 		delete(checkHeader, formCanonicalName)
 	}
+	// For SignV2 - Signature field will be ignored
+	// Policy is generated from Signature with other fields, so it should be ignored
+	if _, ok := formValues[xhttp.AmzSignatureV2]; ok {
+		delete(checkHeader, xhttp.AmzSignatureV2)
+	}
 
 	if len(checkHeader) != 0 {
 		logKeys := make([]string, 0, len(checkHeader))

cmd/signature-v4.go

@@ -154,7 +154,7 @@ func getSignature(signingKey []byte, stringToSign string) string {
 // Check to see if Policy is signed correctly.
 func doesPolicySignatureMatch(formValues http.Header) (auth.Credentials, APIErrorCode) {
 	// For SignV2 - Signature field will be valid
-	if _, ok := formValues["Signature"]; ok {
+	if _, ok := formValues[xhttp.AmzSignatureV2]; ok {
 		return doesPolicySignatureV2Match(formValues)
 	}
 	return doesPolicySignatureV4Match(formValues)