Avoid DDOS in PutObject() when objectName is '/' and size '0' (#4962)

It can happen that an incoming PutObject() request might have inputs of following form eg:- - bucketName is 'testbucket' - objectName is '/' bucketName exists and was previously created but there are no other objects in this bucket. In a situation like this parentDirIsObject() goes into an infinite loop. Verifying that if '/' is an object fails on both backends but the resulting `path.Dir('/')` returns `'/'` this causes the closure to loop onto itself. Fixes #4940
2025-11-09 21:49:46 -05:00 · 2017-09-25 14:47:58 -07:00
parent 7e6b5bdbb7
commit d3eb5815d9
4 changed files with 178 additions and 5 deletions
--- a/cmd/xl-v1-common.go
+++ b/cmd/xl-v1-common.go
@@ -16,7 +16,9 @@

 package cmd

-import "path"
+import (
+	"path"
+)

 // getLoadBalancedDisks - fetches load balanced (sufficiently randomized) disk slice.
 func (xl xlObjects) getLoadBalancedDisks() (disks []StorageAPI) {
@@ -33,11 +35,11 @@ func (xl xlObjects) getLoadBalancedDisks() (disks []StorageAPI) {
 func (xl xlObjects) parentDirIsObject(bucket, parent string) bool {
 	var isParentDirObject func(string) bool
 	isParentDirObject = func(p string) bool {
-		if p == "." {
+		if p == "." || p == "/" {
 			return false
 		}
 		if xl.isObject(bucket, p) {
-			// If there is already a file at prefix "p" return error.
+			// If there is already a file at prefix "p", return true.
 			return true
 		}
 		// Check if there is a file as one of the parent paths.