fix: copyObject key rotation issue (#10085)

- copyObject in-place decryption failed due to incorrect verification of headers - do not decode ETag when object is encrypted with SSE-C, so that pre-conditions don't fail prematurely.
2025-11-20 18:06:10 -05:00 · 2020-07-18 17:36:32 -07:00
parent 44c8af66ad
commit d53e560ce0
4 changed files with 14 additions and 15 deletions
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -612,10 +612,6 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re

 	// Set encryption response headers
 	if objectAPI.IsEncryptionSupported() {
-		if _, err = DecryptObjectInfo(&objInfo, r); err != nil {
-			writeErrorResponseHeadersOnly(w, toAPIError(ctx, err))
-			return
-		}
 		if crypto.IsEncrypted(objInfo.UserDefined) {
 			switch {
 			case crypto.S3.IsEncrypted(objInfo.UserDefined):
@@ -1744,9 +1740,6 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
 		// Note that url.Parse does the unescaping
 		cpSrcPath = u.Path
 	}
-	if vid == "" {
-		vid = strings.TrimSpace(r.Header.Get(xhttp.AmzCopySourceVersionID))
-	}

 	srcBucket, srcObject := path2BucketObject(cpSrcPath)
 	// If source object is empty or bucket is empty, reply back invalid copy source.