* Fix critical authentication bypass vulnerability (#7912) The isRequestPostPolicySignatureV4() function was incorrectly returning true for ANY POST request with multipart/form-data content type, causing all such requests to bypass authentication in authRequest(). This allowed unauthenticated access to S3 API endpoints, as reported in issue #7912 where any credentials (or no credentials) were accepted. The fix removes isRequestPostPolicySignatureV4() entirely, preventing authTypePostPolicy from ever being set. PostPolicy signature verification is still properly handled in PostPolicyBucketHandler via doesPolicySignatureMatch(). Fixes #7912 * add AuthPostPolicy * refactor * Optimizing Auth Credentials * Update auth_credentials.go * Update auth_credentials.go
This commit is contained in:
Chris Lu
@@ -41,12 +41,6 @@ func isRequestPresignedSignatureV2(r *http.Request) bool {
|
||||
return ok
|
||||
}
|
||||
|
||||
// Verify if request has AWS Post policy Signature Version '4'.
|
||||
func isRequestPostPolicySignatureV4(r *http.Request) bool {
|
||||
return strings.Contains(r.Header.Get("Content-Type"), "multipart/form-data") &&
|
||||
r.Method == http.MethodPost
|
||||
}
|
||||
|
||||
// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
|
||||
// Supports both with and without trailer variants:
|
||||
// - STREAMING-AWS4-HMAC-SHA256-PAYLOAD (original)
|
||||
@@ -101,8 +95,6 @@ func getRequestAuthType(r *http.Request) authType {
|
||||
authType = authTypePresigned
|
||||
} else if isRequestJWT(r) {
|
||||
authType = authTypeJWT
|
||||
} else if isRequestPostPolicySignatureV4(r) {
|
||||
authType = authTypePostPolicy
|
||||
} else if _, ok := r.Header["Authorization"]; !ok {
|
||||
authType = authTypeAnonymous
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user