web: Validate if bucket names are reserved (#3841)

Both '.minio.sys' and 'minio' should be never allowed to be created from web-ui and then fail to list it by filtering them out. Fixes #3840
2025-11-08 21:24:55 -05:00 · 2017-03-03 03:01:42 -08:00
parent cddc684559
commit e5d4e7aa9d
5 changed files with 43 additions and 8 deletions
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -20,7 +20,6 @@ import (
 	"bufio"
 	"net"
 	"net/http"
-	"path"
 	"strings"
 	"time"

@@ -161,17 +160,17 @@ func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 // Adds verification for incoming paths.
 type minioPrivateBucketHandler struct {
-	handler            http.Handler
-	reservedBucketPath string
+	handler http.Handler
 }

 func setPrivateBucketHandler(h http.Handler) http.Handler {
-	return minioPrivateBucketHandler{h, minioReservedBucketPath}
+	return minioPrivateBucketHandler{h}
 }

 func (h minioPrivateBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// For all non browser requests, reject access to 'reservedBucketPath'.
-	if !guessIsBrowserReq(r) && path.Clean(r.URL.Path) == h.reservedBucketPath {
+	// For all non browser requests, reject access to 'minioReservedBucketPath'.
+	bucketName, _ := urlPath2BucketObjectName(r.URL)
+	if !guessIsBrowserReq(r) && isMinioReservedBucket(bucketName) && isMinioMetaBucket(bucketName) {
 		writeErrorResponse(w, ErrAllAccessDisabled, r.URL)
 		return
 	}