MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 05:34:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

security: fix write-to-RAM DoS vulnerability (#5957)

Browse Source 
This commit fixes a DoS vulnerability for certain APIs using
signature V4 by verifying the content-md5 and/or content-sha56 of
the request body in a streaming mode.

The issue was caused by reading the entire body of the request into
memory to verify the content-md5 or content-sha56 checksum if present.

The vulnerability could be exploited by either replaying a V4 request
(in the 15 min time frame) or sending a V4 presigned request with a
large body.
This commit is contained in:
Andreas Auernhammer
2018-05-18 20:27:25 +02:00
committed by Dee Koder
parent 1cf381f1b0
commit 9c8b7306f5
3 changed files with 43 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/hash/reader.go
View File

@@ -61,11 +61,13 @@ func NewReader(src io.Reader, size int64, md5Hex, sha256Hex string) (*Reader, er
if len(sha256sum) != 0 {
sha256Hash = sha256.New()
}
if size >= 0 {
src = io.LimitReader(src, size)
}
return &Reader{
md5sum: md5sum,
sha256sum: sha256sum,
src: io.LimitReader(src, size),
src: src,
size: size,
md5Hash: md5.New(),
sha256Hash: sha256Hash,