mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
parent
d1971b9a4d
commit
bb292e4e38
@ -21,6 +21,7 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
@ -567,19 +568,26 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
token := r.URL.Query().Get("token")
|
// Auth is done after reading the body to accommodate for anonymous requests
|
||||||
|
// when bucket policy is enabled.
|
||||||
if !isAuthTokenValid(token) {
|
|
||||||
writeWebErrorResponse(w, errAuthentication)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
var args DownloadZipArgs
|
var args DownloadZipArgs
|
||||||
decodeErr := json.NewDecoder(r.Body).Decode(&args)
|
tenKB := 10 * 1024 // To limit r.Body to take care of misbehaving anonymous client.
|
||||||
|
decodeErr := json.NewDecoder(io.LimitReader(r.Body, int64(tenKB))).Decode(&args)
|
||||||
if decodeErr != nil {
|
if decodeErr != nil {
|
||||||
writeWebErrorResponse(w, decodeErr)
|
writeWebErrorResponse(w, decodeErr)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
token := r.URL.Query().Get("token")
|
||||||
|
if !isAuthTokenValid(token) {
|
||||||
|
for _, object := range args.Objects {
|
||||||
|
if !isBucketActionAllowed("s3:GetObject", args.BucketName, pathJoin(args.Prefix, object)) {
|
||||||
|
writeWebErrorResponse(w, errAuthentication)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
archive := zip.NewWriter(w)
|
archive := zip.NewWriter(w)
|
||||||
defer archive.Close()
|
defer archive.Close()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user