From bb292e4e38e4ce76542da557e11c4ef1780fe1a6 Mon Sep 17 00:00:00 2001 From: Krishna Srinivas Date: Wed, 10 May 2017 09:54:24 -0700 Subject: [PATCH] web-handler: Allow anonymous download of zip (#4309) fixes #4230 --- cmd/web-handlers.go | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index eff9f3b27..17a97a727 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -21,6 +21,7 @@ import ( "encoding/json" "errors" "fmt" + "io" "io/ioutil" "net/http" "os" @@ -567,19 +568,26 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) { return } - token := r.URL.Query().Get("token") - - if !isAuthTokenValid(token) { - writeWebErrorResponse(w, errAuthentication) - return - } + // Auth is done after reading the body to accommodate for anonymous requests + // when bucket policy is enabled. var args DownloadZipArgs - decodeErr := json.NewDecoder(r.Body).Decode(&args) + tenKB := 10 * 1024 // To limit r.Body to take care of misbehaving anonymous client. + decodeErr := json.NewDecoder(io.LimitReader(r.Body, int64(tenKB))).Decode(&args) if decodeErr != nil { writeWebErrorResponse(w, decodeErr) return } + token := r.URL.Query().Get("token") + if !isAuthTokenValid(token) { + for _, object := range args.Objects { + if !isBucketActionAllowed("s3:GetObject", args.BucketName, pathJoin(args.Prefix, object)) { + writeWebErrorResponse(w, errAuthentication) + return + } + } + } + archive := zip.NewWriter(w) defer archive.Close()