do not save plain-text ETag when encryption is requested (#17427)

fixes an issue under bucket replication could cause ETags for replicated SSE-S3 single part PUT objects, to fail as we would attempt a decryption while listing, or stat() operation.
2025-11-10 22:10:12 -05:00 · 2023-06-15 12:43:26 -07:00
parent 4a562d6732
commit ad4e511026
3 changed files with 75 additions and 2 deletions
--- a/cmd/erasure-object.go
+++ b/cmd/erasure-object.go
@@ -37,6 +37,7 @@ import (
 	"github.com/minio/minio/internal/bucket/lifecycle"
 	"github.com/minio/minio/internal/bucket/object/lock"
 	"github.com/minio/minio/internal/bucket/replication"
+	"github.com/minio/minio/internal/crypto"
 	"github.com/minio/minio/internal/event"
 	"github.com/minio/minio/internal/hash"
 	xhttp "github.com/minio/minio/internal/http"
@@ -1263,8 +1264,16 @@ func (er erasureObjects) putObject(ctx context.Context, bucket string, object st
 	}

 	userDefined["etag"] = r.MD5CurrentHexString()
+	kind, _ := crypto.IsEncrypted(userDefined)
 	if opts.PreserveETag != "" {
-		userDefined["etag"] = opts.PreserveETag
+		if !opts.ReplicationRequest {
+			userDefined["etag"] = opts.PreserveETag
+		} else if kind != crypto.S3 {
+			// if we have a replication request
+			// and SSE-S3 is specified do not preserve
+			// the incoming etag.
+			userDefined["etag"] = opts.PreserveETag
+		}
 	}

 	// Guess content-type from the extension if possible.