Valid if bucket names are internal (#7476)

This commit fixes a privilege escalation issue against the S3 and web handlers. An authenticated IAM user can: - Read from or write to the internal '.minio.sys' bucket by simply sending a properly signed S3 GET or PUT request. Further, the user can - Read from or write to the internal '.minio.sys' bucket using the 'Upload'/'Download'/'DownloadZIP' API by sending a "browser" request authenticated with its JWT token.
2025-12-02 22:20:43 -05:00 · 2019-04-03 23:10:37 -07:00
parent 9a740736a4
commit c90999df98
8 changed files with 92 additions and 34 deletions
--- a/cmd/xl-v1-healing.go
+++ b/cmd/xl-v1-healing.go
@@ -169,8 +169,7 @@ func listAllBuckets(storageDisks []StorageAPI) (buckets map[string]VolInfo,
 			// StorageAPI can send volume names which are
 			// incompatible with buckets - these are
 			// skipped, like the meta-bucket.
-			if !IsValidBucketName(volInfo.Name) ||
-				isMinioMetaBucketName(volInfo.Name) {
+			if isReservedOrInvalidBucket(volInfo.Name, false) {
 				continue
 			}
 			// Increase counter per bucket name