Avoid DDOS in PutObject() when objectName is '/' and size '0' (#4962)

It can happen that an incoming PutObject() request might have inputs of following form eg:- - bucketName is 'testbucket' - objectName is '/' bucketName exists and was previously created but there are no other objects in this bucket. In a situation like this parentDirIsObject() goes into an infinite loop. Verifying that if '/' is an object fails on both backends but the resulting `path.Dir('/')` returns `'/'` this causes the closure to loop onto itself. Fixes #4940
2025-11-09 21:49:46 -05:00 · 2017-09-25 14:47:58 -07:00
parent 7e6b5bdbb7
commit d3eb5815d9
4 changed files with 178 additions and 5 deletions
--- a/cmd/fs-v1.go
+++ b/cmd/fs-v1.go
@@ -491,13 +491,14 @@ func (fs fsObjects) GetObjectInfo(bucket, object string) (oi ObjectInfo, e error
 func (fs fsObjects) parentDirIsObject(bucket, parent string) bool {
 	var isParentDirObject func(string) bool
 	isParentDirObject = func(p string) bool {
-		if p == "." {
+		if p == "." || p == "/" {
 			return false
 		}
 		if _, err := fsStatFile(pathJoin(fs.fsPath, bucket, p)); err == nil {
-			// If there is already a file at prefix "p" return error.
+			// If there is already a file at prefix "p", return true.
 			return true
 		}
+
 		// Check if there is a file as one of the parent paths.
 		return isParentDirObject(path.Dir(p))
 	}