mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
limit memory allocations during multiple object deletion (#6033)
This commit limits the amount of memory allocated by the S3 Multi-Object-Delete-API. The server used to allocate as many bytes as provided by the client using Content-Length. S3 specifies that the S3 Multi-Object-Delete-API can delete at most 1000 objects using a single request. (See: https://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html) Since the maximum S3 object name is limited to 1024 bytes the XML body sent by the client can only contain up to 1000 * 1024 bytes (excluding XML format overhead). This commit limits the size of the parsed XML for the S3 Multi-Object-Delete-API to 2 MB. This fixes a DoS vulnerability since (auth.) clients, MitM-adversaries (without TLS) and un-auth. users accessing buckets allowing multi-delete by policy can kill the server. This behavior is similar to the AWS-S3 implementation.
This commit is contained in:
parent
12a916091e
commit
9f4c120731
@ -282,7 +282,13 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Allocate incoming content length bytes.
|
// Allocate incoming content length bytes.
|
||||||
deleteXMLBytes := make([]byte, r.ContentLength)
|
var deleteXMLBytes []byte
|
||||||
|
const maxBodySize = 2 * 1000 * 1024 // The max. XML contains 1000 object names (each at most 1024 bytes long) + XML overhead
|
||||||
|
if r.ContentLength > maxBodySize { // Only allocated memory for at most 1000 objects
|
||||||
|
deleteXMLBytes = make([]byte, maxBodySize)
|
||||||
|
} else {
|
||||||
|
deleteXMLBytes = make([]byte, r.ContentLength)
|
||||||
|
}
|
||||||
|
|
||||||
// Read incoming body XML bytes.
|
// Read incoming body XML bytes.
|
||||||
if _, err := io.ReadFull(r.Body, deleteXMLBytes); err != nil {
|
if _, err := io.ReadFull(r.Body, deleteXMLBytes); err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user