fix DoS vulnerability in request authentication (#5887)

This commit fixes a DoS vulnerability in the
request authentication. The root cause is an 'unlimited'
read-into-RAM from the request body.

Since this read happens before the request authentication
is verified the vulnerability can be exploit without any
access privileges.

This commit limits the size of the request body to 3 MB.
This is about the same size as AWS. The limit seems to be
between 1.6 and 3.2 MB - depending on the AWS machine which
is handling the request.

cmd/auth-handler.go

@@ -22,6 +22,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"strings"
@@ -153,10 +154,10 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 	var locationConstraint string
 	if action == policy.CreateBucketAction {
 		// To extract region from XML in request body, get copy of request body.
-		payload, err := ioutil.ReadAll(r.Body)
+		payload, err := ioutil.ReadAll(io.LimitReader(r.Body, maxLocationConstraintSize))
 		if err != nil {
 			logger.LogIf(ctx, err)
-			return ErrAccessDenied
+			return ErrMalformedXML
 		}
 
 		// Populate payload to extract location constraint.
@@ -165,7 +166,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 		var s3Error APIErrorCode
 		locationConstraint, s3Error = parseLocationConstraint(r)
 		if s3Error != ErrNone {
-			return ErrAccessDenied
+			return s3Error
 		}
 
 		// Populate payload again to handle it in HTTP handler.

cmd/globals.go

@@ -76,6 +76,9 @@ const (
 	globalMultipartExpiry = time.Hour * 24 * 14 // 2 weeks.
 	// Cleanup interval when the stale multipart cleanup is initiated.
 	globalMultipartCleanupInterval = time.Hour * 24 // 24 hrs.
+
+	// Limit of location constraint XML for unauthenticted PUT bucket operations.
+	maxLocationConstraintSize = 3 * humanize.MiByte
 )
 
 var (