mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
parent
d1971b9a4d
commit
bb292e4e38
@ -21,6 +21,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
@ -567,19 +568,26 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
token := r.URL.Query().Get("token")
|
||||
|
||||
if !isAuthTokenValid(token) {
|
||||
writeWebErrorResponse(w, errAuthentication)
|
||||
return
|
||||
}
|
||||
// Auth is done after reading the body to accommodate for anonymous requests
|
||||
// when bucket policy is enabled.
|
||||
var args DownloadZipArgs
|
||||
decodeErr := json.NewDecoder(r.Body).Decode(&args)
|
||||
tenKB := 10 * 1024 // To limit r.Body to take care of misbehaving anonymous client.
|
||||
decodeErr := json.NewDecoder(io.LimitReader(r.Body, int64(tenKB))).Decode(&args)
|
||||
if decodeErr != nil {
|
||||
writeWebErrorResponse(w, decodeErr)
|
||||
return
|
||||
}
|
||||
|
||||
token := r.URL.Query().Get("token")
|
||||
if !isAuthTokenValid(token) {
|
||||
for _, object := range args.Objects {
|
||||
if !isBucketActionAllowed("s3:GetObject", args.BucketName, pathJoin(args.Prefix, object)) {
|
||||
writeWebErrorResponse(w, errAuthentication)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
archive := zip.NewWriter(w)
|
||||
defer archive.Close()
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user