From b3e50bb12f081a5e40e19cd30c99b423a8e960fa Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 1 Apr 2026 23:23:56 -0700 Subject: [PATCH 1/2] fix(s3): remove customer encryption key from SSE-C debug log (#8875) * fix(s3): remove customer encryption key from SSE-C debug log The debug log in validateAndParseSSECHeaders was logging the raw customer-provided encryption key bytes in hex format (keyBytes=%x), leaking sensitive key material to log output. Remove the key bytes from the log statement while keeping the MD5 hash comparison info. * Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- weed/s3api/s3_sse_c.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/weed/s3api/s3_sse_c.go b/weed/s3api/s3_sse_c.go index eec2bc7ac..79cf96041 100644 --- a/weed/s3api/s3_sse_c.go +++ b/weed/s3api/s3_sse_c.go @@ -58,9 +58,9 @@ var ( // SSECustomerKey represents a customer-provided encryption key for SSE-C type SSECustomerKey struct { - Algorithm string - Key []byte - KeyMD5 string + Algorithm string + Key []byte + KeyMD5 string } // IsSSECRequest checks if the request contains SSE-C headers @@ -119,8 +119,8 @@ func validateAndParseSSECHeaders(algorithm, key, keyMD5 string) (*SSECustomerKey sum := md5.Sum(keyBytes) expectedMD5 := base64.StdEncoding.EncodeToString(sum[:]) - // Debug logging for MD5 validation - glog.V(4).Infof("SSE-C MD5 validation: provided='%s', expected='%s', keyBytes=%x", keyMD5, expectedMD5, keyBytes) + // Debug logging for MD5 validation (never log key material) + glog.V(4).Infof("SSE-C MD5 validation: provided='%s', expected='%s'", keyMD5, expectedMD5) if keyMD5 != expectedMD5 { glog.Errorf("SSE-C MD5 mismatch: provided='%s', expected='%s'", keyMD5, expectedMD5) From 24805ff4785fc93ba5d198868f7a49dfef329d2e Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 2 Apr 2026 11:33:54 -0700 Subject: [PATCH 2/2] fix(docker): add libgcc to Alpine runtime for Rust volume server (#8883) The Rust weed-volume binary requires libgcc_s.so.1 for stack unwinding (_Unwind_* symbols). Without it, the binary fails to load in the Alpine container with "Error loading shared library libgcc_s.so.1". --- docker/Dockerfile.go_build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build index 095dd6c36..daf76af43 100644 --- a/docker/Dockerfile.go_build +++ b/docker/Dockerfile.go_build @@ -51,7 +51,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh # Install dependencies and create non-root user RUN apk upgrade --no-cache zlib && \ - apk add --no-cache fuse curl su-exec && \ + apk add --no-cache fuse curl su-exec libgcc && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed