MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix DoS vulnerability in the content SHA-256 processing (#8026) 

This commit fixes a DoS issue that is caused by an incorrect
SHA-256 content verification during STS requests.

Before that fix clients could write arbitrary many bytes
to the server memory. This commit fixes this by limiting the
request body size.
This commit is contained in:
Andreas Auernhammer 2019-08-05 19:06:40 +02:00 committed by Harshavardhana
parent 414a7eca83
commit f6d0645a3c
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/signature-v4-utils.go
View File

@ -21,6 +21,7 @@ import (
"context" "context"
"crypto/hmac" "crypto/hmac"
"encoding/hex" "encoding/hex"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"strconv" "strconv"
@ -61,7 +62,7 @@ func skipContentSha256Cksum(r *http.Request) bool {
// Returns SHA256 for calculating canonical-request. // Returns SHA256 for calculating canonical-request.
func getContentSha256Cksum(r *http.Request, stype serviceType) string { func getContentSha256Cksum(r *http.Request, stype serviceType) string {
if stype == serviceSTS { if stype == serviceSTS {
payload, err := ioutil.ReadAll(r.Body) payload, err := ioutil.ReadAll(io.LimitReader(r.Body, stsRequestBodyLimit))
if err != nil { if err != nil {
logger.CriticalIf(context.Background(), err) logger.CriticalIf(context.Background(), err)
} }

2
cmd/sts-handlers.go
View File

@ -40,6 +40,8 @@ const (
clientGrants = "AssumeRoleWithClientGrants" clientGrants = "AssumeRoleWithClientGrants"
webIdentity = "AssumeRoleWithWebIdentity" webIdentity = "AssumeRoleWithWebIdentity"
assumeRole = "AssumeRole" assumeRole = "AssumeRole"
stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
) )
// stsAPIHandlers implements and provides http handlers for AWS STS API. // stsAPIHandlers implements and provides http handlers for AWS STS API.