web-handler: Allow anonymous download of zip (#4309)

fixes #4230
This commit is contained in:
Krishna Srinivas 2017-05-10 09:54:24 -07:00 committed by Harshavardhana
parent d1971b9a4d
commit bb292e4e38

View File

@ -21,6 +21,7 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"os"
@ -567,19 +568,26 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
return
}
token := r.URL.Query().Get("token")
if !isAuthTokenValid(token) {
writeWebErrorResponse(w, errAuthentication)
return
}
// Auth is done after reading the body to accommodate for anonymous requests
// when bucket policy is enabled.
var args DownloadZipArgs
decodeErr := json.NewDecoder(r.Body).Decode(&args)
tenKB := 10 * 1024 // To limit r.Body to take care of misbehaving anonymous client.
decodeErr := json.NewDecoder(io.LimitReader(r.Body, int64(tenKB))).Decode(&args)
if decodeErr != nil {
writeWebErrorResponse(w, decodeErr)
return
}
token := r.URL.Query().Get("token")
if !isAuthTokenValid(token) {
for _, object := range args.Objects {
if !isBucketActionAllowed("s3:GetObject", args.BucketName, pathJoin(args.Prefix, object)) {
writeWebErrorResponse(w, errAuthentication)
return
}
}
}
archive := zip.NewWriter(w)
defer archive.Close()