s3: do not persist multi part "Response-Content-Disposition" in request header (#7887)

* fix: support standard HTTP headers in S3 multipart upload

* fix(s3api): validate standard HTTP headers correctly and avoid persisting Response-Content-Disposition

---------

Co-authored-by: steve.wei <coderushing@gmail.com>

weed/s3api/s3_metadata_util.go

@@ -47,11 +47,8 @@ func ParseS3Metadata(r *http.Request, existing map[string][]byte, isReplace bool
 		}
 	}
 
-	// Handle Response-Content-Disposition (used in presigned URLs)
+	// Do NOT persist Response-Content-Disposition: it is a GET-only
-	// This should be stored as Content-Disposition
+	// presigned-download override and must not be stored as upload metadata.
-	if rcd := r.Header.Get("Response-Content-Disposition"); rcd != "" {
-		metadata["Content-Disposition"] = []byte(rcd)
-	}
 
 	// Object tagging
 	if tags := r.Header.Get(s3_constants.AmzObjectTagging); tags != "" {

weed/s3api/s3api_object_handlers_multipart.go

@@ -67,16 +67,16 @@ func (s3a *S3ApiServer) NewMultipartUploadHandler(w http.ResponseWriter, r *http
 	}
 
 	// Validate Cache-Control header format if present
-	if r.Header.Get("Cache-Control") != "" {
+	if cacheControl := r.Header.Get("Cache-Control"); cacheControl != "" {
-		if _, err := cacheobject.ParseRequestCacheControl(r.Header.Get("Cache-Control")); err != nil {
+		if _, err := cacheobject.ParseRequestCacheControl(cacheControl); err != nil {
-			s3err.WriteErrorResponse(w, r, s3err.ErrInvalidDigest)
+			s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
 			return
 		}
 	}
 
 	// Validate Expires header format if present
-	if r.Header.Get("Expires") != "" {
+	if expires := r.Header.Get("Expires"); expires != "" {
-		if _, err := time.Parse(http.TimeFormat, r.Header.Get("Expires")); err != nil {
+		if _, err := time.Parse(http.TimeFormat, expires); err != nil {
 			s3err.WriteErrorResponse(w, r, s3err.ErrMalformedDate)
 			return
 		}