gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a18c3a16fea98ced731073b255143667d3f0dec
seaweedFS/weed/s3api
History
Chris Lu 7a18c3a16f Fix critical authentication bypass vulnerability (#7912) (#7915) 
* Fix critical authentication bypass vulnerability (#7912)

The isRequestPostPolicySignatureV4() function was incorrectly returning
true for ANY POST request with multipart/form-data content type,
causing all such requests to bypass authentication in authRequest().

This allowed unauthenticated access to S3 API endpoints, as reported
in issue #7912 where any credentials (or no credentials) were accepted.

The fix removes isRequestPostPolicySignatureV4() entirely, preventing
authTypePostPolicy from ever being set. PostPolicy signature verification
is still properly handled in PostPolicyBucketHandler via
doesPolicySignatureMatch().

Fixes #7912

* add AuthPostPolicy

* refactor

* Optimizing Auth Credentials

* Update auth_credentials.go

* Update auth_credentials.go
2025-12-30 12:40:59 -08:00
..
cors
fix: CORS wildcard subdomain matching cache race condition (#7736)
2025-12-13 14:33:46 -08:00
policy
fix
2024-10-03 09:03:17 -07:00
policy_engine
fix: resolve inconsistent S3 API authorization for DELETE operations (issue #7864) (#7865)
2025-12-24 10:29:30 -08:00
s3_constants
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3_objectlock
fix: admin UI bucket deletion with filer group configured (#7735)
2025-12-13 19:04:12 -08:00
s3bucket
adjust fix
2025-02-01 14:11:57 -08:00
s3err
Filer, S3: Feature/add concurrent file upload limit (#7554)
2025-11-26 12:07:54 -08:00
AmazonS3.xsd
add s3test for sql (#5718)
2024-07-04 11:00:41 -07:00
auth_credentials_subscribe.go
s3: fix remote object not caching (#7790)
2025-12-16 12:41:04 -08:00
auth_credentials_test.go
S3: Enforce bucket policy (#7471)
2025-11-12 22:14:50 -08:00
auth_credentials.go
Fix critical authentication bypass vulnerability (#7912) (#7915)
2025-12-30 12:40:59 -08:00
auth_signature_v2_test.go
fix(s3api): fix AWS Signature V2 format and validation (#7488)
2025-11-26 12:24:02 -08:00
auth_signature_v2.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
auth_signature_v4_test.go
Fix IPv6 host header formatting to match AWS SDK behavior (#7414)
2025-10-30 21:06:00 -07:00
auth_signature_v4.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
auto_signature_v4_test.go
feat(iam): add SetUserStatus and UpdateAccessKey actions (#7750)
2025-12-14 18:48:39 -08:00
bucket_metadata_test.go
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859)
2023-09-25 08:34:12 -07:00
bucket_metadata.go
s3: fix remote object not caching (#7790)
2025-12-16 12:41:04 -08:00
bucket_size_metrics.go
Make lock_manager.RenewInterval configurable in LiveLock (#7830)
2025-12-20 15:25:47 -08:00
chunked_bug_reproduction_test.go
S3 API: unsigned streaming (no cred) but chunks contain signatures (#7118)
2025-08-11 10:31:01 -07:00
chunked_reader_v4_test.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
chunked_reader_v4.go
s3: support STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for signed chunked uploads with checksums (#7623)
2025-12-04 14:51:37 -08:00
custom_types.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
filer_multipart_test.go
fix: use path instead of filepath for S3 object paths on Windows (#7739)
2025-12-14 11:18:23 -08:00
filer_multipart.go
fix: reduce N+1 queries in S3 versioned object list operations (#7814)
2025-12-18 17:44:27 -08:00
filer_util_tags.go
added context to filer_client method calls (#6808)
2025-05-22 09:46:49 -07:00
filer_util.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
object_lock_utils.go
Fix SeaweedFS S3 bucket extended attributes handling (#7854)
2025-12-22 23:19:50 -08:00
policy_conversion_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
policy_conversion.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
README.txt
add s3test for sql (#5718)
2024-07-04 11:00:41 -07:00
s3_action_resolver.go
S3: add context aware action resolution (#7479)
2025-11-13 16:10:46 -08:00
s3_bucket_encryption.go
fix: CORS wildcard subdomain matching cache race condition (#7736)
2025-12-13 14:33:46 -08:00
s3_content_encoding_test.go
S3: Fix Content-Encoding header not preserved (#7894) (#7895)
2025-12-27 12:25:33 -08:00
s3_end_to_end_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_error_utils.go
S3 API: Add SSE-S3 (#7151)
2025-08-22 01:15:42 -07:00
s3_existing_object_tag_test.go
s3: add s3:ExistingObjectTag condition support for bucket policies (#7677)
2025-12-09 09:48:13 -08:00
s3_granular_action_security_test.go
S3: add context aware action resolution (#7479)
2025-11-13 16:10:46 -08:00
s3_iam_middleware.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_iam_role_selection_test.go
S3 API: Advanced IAM System (#7160)
2025-08-30 11:15:48 -07:00
s3_iam_simple_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_jwt_auth_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_list_parts_action_test.go
S3: add context aware action resolution (#7479)
2025-11-13 16:10:46 -08:00
s3_metadata_util.go
s3: do not persist multi part "Response-Content-Disposition" in request header (#7887)
2025-12-26 13:21:15 -08:00
s3_multipart_iam_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_multipart_iam.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_policy_templates_test.go
S3: Enforce bucket policy (#7471)
2025-11-12 22:14:50 -08:00
s3_policy_templates.go
S3: Enforce bucket policy (#7471)
2025-11-12 22:14:50 -08:00
s3_presigned_url_iam_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_presigned_url_iam.go
S3: Enforce bucket policy (#7471)
2025-11-12 22:14:50 -08:00
s3_sse_bucket_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3_sse_c_range_test.go
S3 API: Fix SSE-S3 decryption on object download (#7366)
2025-10-23 20:10:12 -07:00
s3_sse_c_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3_sse_c.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_sse_copy_test.go
S3 API: Fix SSE-S3 decryption on object download (#7366)
2025-10-23 20:10:12 -07:00
s3_sse_ctr_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_sse_error_test.go
S3 API: Add SSE-S3 (#7151)
2025-08-22 01:15:42 -07:00
s3_sse_http_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3_sse_kms_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3_sse_kms_utils.go
S3 API: Add SSE-S3 (#7151)
2025-08-22 01:15:42 -07:00
s3_sse_kms.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_sse_metadata_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3_sse_metadata.go
S3 API: Fix SSE-S3 decryption on object download (#7366)
2025-10-23 20:10:12 -07:00
s3_sse_multipart_test.go
Migrate from deprecated azure-storage-blob-go to modern Azure SDK (#7310)
2025-10-08 23:12:03 -07:00
s3_sse_s3_integration_test.go
go fmt
2025-10-27 23:04:55 -07:00
s3_sse_s3_multipart_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_sse_s3_test.go
fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)
2025-11-28 13:28:17 -08:00
s3_sse_s3.go
fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)
2025-11-28 13:28:17 -08:00
s3_sse_test_utils_test.go
S3 API: Fix SSE-S3 decryption on object download (#7366)
2025-10-23 20:10:12 -07:00
s3_sse_utils.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3_token_differentiation_test.go
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
s3_validation_utils.go
go fmt
2025-10-27 23:04:55 -07:00
s3api_acl_helper_test.go
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859)
2023-09-25 08:34:12 -07:00
s3api_acl_helper.go
Add Kafka Gateway (#7231)
2025-10-13 18:05:17 -07:00
s3api_acp.go
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859)
2023-09-25 08:34:12 -07:00
s3api_auth.go
Fix critical authentication bypass vulnerability (#7912) (#7915)
2025-12-30 12:40:59 -08:00
s3api_bucket_config.go
fix: CORS wildcard subdomain matching cache race condition (#7736)
2025-12-13 14:33:46 -08:00
s3api_bucket_cors_handlers.go
S3: add fallback for CORS (#7404)
2025-10-29 13:43:27 -07:00
s3api_bucket_handlers_object_lock_config.go
S3: S3 Object Retention API to include XML namespace support (#7517)
2025-11-20 11:42:22 -08:00
s3api_bucket_handlers_test.go
fix: ListBuckets returns empty for users with bucket-specific permissions (#7799)
2025-12-17 00:09:13 -08:00
s3api_bucket_handlers.go
s3: Add SOSAPI support for Veeam integration (#7899)
2025-12-28 14:07:58 -08:00
s3api_bucket_metadata_test.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3api_bucket_policy_arn_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_bucket_policy_engine.go
s3: add s3:ExistingObjectTag condition support for bucket policies (#7677)
2025-12-09 09:48:13 -08:00
s3api_bucket_policy_handlers.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_bucket_tagging_handlers.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3api_circuit_breaker_test.go
move to https://github.com/seaweedfs/seaweedfs
2022-07-29 00:17:28 -07:00
s3api_circuit_breaker.go
Metrics: Add Prometheus metrics for concurrent upload tracking (#7555)
2025-11-26 15:51:38 -08:00
s3api_conditional_headers_test.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_copy_size_calculation.go
S3 API: Add SSE-S3 (#7151)
2025-08-22 01:15:42 -07:00
s3api_copy_validation.go
S3 API: Add SSE-KMS (#7144)
2025-08-21 08:28:07 -07:00
s3api_domain_test.go
fix: Use a mixed of virtual and path styles within a single subdomain (#7357)
2025-10-24 01:45:22 -07:00
s3api_embedded_iam_test.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
s3api_embedded_iam.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
s3api_encrypted_volume_copy_test.go
S3: Fix encrypted file copy with multiple chunks (#7530) (#7546)
2025-11-25 09:56:20 -08:00
s3api_governance_permissions_test.go
Add policy engine (#6970)
2025-07-13 16:21:36 -07:00
s3api_handlers.go
Support multiple filers for S3 and IAM servers with automatic failover (#7550)
2025-11-26 11:29:55 -08:00
s3api_implicit_directory_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_key_rotation.go
Add S3 volume encryption support with -s3.encryptVolumeData flag (#7890)
2025-12-27 00:09:14 -08:00
s3api_list_normalization_test.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_acl.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_copy_test.go
fix: copy to bucket with default SSE-S3 encryption fails (#7562) (#7568)
2025-11-28 13:28:17 -08:00
s3api_object_handlers_copy_unified.go
Fix SSE-S3 copy: preserve encryption metadata and set chunk SSE type (#7598)
2025-12-02 09:24:31 -08:00
s3api_object_handlers_copy.go
Add S3 volume encryption support with -s3.encryptVolumeData flag (#7890)
2025-12-27 00:09:14 -08:00
s3api_object_handlers_delete.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_legal_hold.go
refactor (#6999)
2025-07-19 00:49:56 -07:00
s3api_object_handlers_list_test.go
Fix: Eliminate duplicate versioned objects in S3 list operations (#7850)
2025-12-22 15:50:13 -08:00
s3api_object_handlers_list_versioned_test.go
Fix: Eliminate duplicate versioned objects in S3 list operations (#7850)
2025-12-22 15:50:13 -08:00
s3api_object_handlers_list.go
Fix: Eliminate duplicate versioned objects in S3 list operations (#7850)
2025-12-22 15:50:13 -08:00
s3api_object_handlers_multipart.go
s3: do not persist multi part "Response-Content-Disposition" in request header (#7887)
2025-12-26 13:21:15 -08:00
s3api_object_handlers_postpolicy_test.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_postpolicy.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_put_test.go
check errors
2025-11-21 14:48:41 -08:00
s3api_object_handlers_put.go
s3: implement Bucket Owner Enforced for object ownership (#7913)
2025-12-29 23:54:00 -08:00
s3api_object_handlers_retention.go
refactor (#6999)
2025-07-19 00:49:56 -07:00
s3api_object_handlers_tagging.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_object_handlers_test.go
Support multiple filers for S3 and IAM servers with automatic failover (#7550)
2025-11-26 11:29:55 -08:00
s3api_object_handlers.go
s3api: Integrate SOSAPI handlers into GetObject and HeadObject
2025-12-28 12:56:51 -08:00
s3api_object_lock_fix_test.go
Fix get object lock configuration handler (#6996)
2025-07-18 02:19:50 -07:00
s3api_object_lock_headers_test.go
Test object lock and retention (#6997)
2025-07-18 22:25:58 -07:00
s3api_object_ownership_test.go
s3: implement Bucket Owner Enforced for object ownership (#7913)
2025-12-29 23:54:00 -08:00
s3api_object_retention_test.go
S3: S3 Object Retention API to include XML namespace support (#7517)
2025-11-20 11:42:22 -08:00
s3api_object_retention.go
s3: optimize DELETE by skipping lock check for buckets without Object Lock (#7642)
2025-12-06 21:37:25 -08:00
s3api_object_versioning.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_policy.go
[s3] Put bucket lifecycle configuration (#5510)
2024-04-27 07:39:22 -07:00
s3api_put_handlers.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_put_object_helper_test.go
Add credential storage (#6938)
2025-07-02 18:03:17 -07:00
s3api_put_object_helper.go
s3api: remove redundant auth verification in getRequestDataReader (#7685)
2025-12-09 10:24:35 -08:00
s3api_remote_storage_test.go
fix: S3 remote storage cold-cache read fails with 'size reported but no content available' (#7817)
2025-12-18 21:19:44 -08:00
s3api_server_grpc.go
move to https://github.com/seaweedfs/seaweedfs
2022-07-29 00:17:28 -07:00
s3api_server.go
Fix critical authentication bypass vulnerability (#7912) (#7915)
2025-12-30 12:40:59 -08:00
s3api_sosapi_test.go
s3: Add SOSAPI support for Veeam integration (#7899)
2025-12-28 14:07:58 -08:00
s3api_sosapi.go
s3: Add SOSAPI support for Veeam integration (#7899)
2025-12-28 14:07:58 -08:00
s3api_sse_chunk_metadata_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_sse_decrypt_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_sse_s3_upload_test.go
S3: Directly read write volume servers (#7481)
2025-11-18 23:18:35 -08:00
s3api_status_handlers.go
move to https://github.com/seaweedfs/seaweedfs
2022-07-29 00:17:28 -07:00
s3api_streaming_copy.go
Fix SSE-S3 copy: preserve encryption metadata and set chunk SSE type (#7598)
2025-12-02 09:24:31 -08:00
s3api_sts.go
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
s3api_test.go
move to https://github.com/seaweedfs/seaweedfs
2022-07-29 00:17:28 -07:00
s3api_version_id_test.go
fix: S3 versioning memory leak in ListObjectVersions pagination (#7813)
2025-12-18 02:52:50 -08:00
s3api_version_id.go
Refactor: Replace removeDuplicateSlashes with NormalizeObjectKey (#7873)
2025-12-24 19:07:08 -08:00
s3api_xsd_generated_helper.go
add s3test for sql (#5718)
2024-07-04 11:00:41 -07:00
s3api_xsd_generated.go
fix ListAllMyBucketsResult xmlns
2025-08-14 20:38:03 -07:00
stats.go
Populate bucket_traffic_received_bytes_total metric (#7249)
2025-09-17 19:04:51 -07:00
tags_test.go
tag parsing decode url encoded
2025-07-28 02:49:43 -07:00
tags.go
tag parsing decode url encoded
2025-07-28 02:49:43 -07:00

README.txt 

see https://blog.aqwari.net/xml-schema-go/

1. go get aqwari.net/xml/cmd/xsdgen
2. Add EncodingType element for ListBucketResult in AmazonS3.xsd
3. xsdgen -o s3api_xsd_generated.go -pkg s3api AmazonS3.xsd
4. Remove empty Grantee struct in s3api_xsd_generated.go
5. Remove xmlns: sed s'/http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/\ //' s3api_xsd_generated.go
Reference in New Issue View Git Blame Copy Permalink