viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(s3api): require space in v2 auth prefix (#9852)

Browse Source 
* fix(s3api): require space in v2 auth prefix

Problem: Signature V2 Authorization headers with a malformed algorithm token such as AWSX... are accepted as if they were AWS ... headers.

Root cause: validateV2AuthHeader checks HasPrefix("AWS") but then slices past an assumed trailing space, so an extra character after AWS is skipped and the rest is parsed as credentials.

Fix: Require the Authorization header to start with the exact AWS plus space prefix before parsing fields.

Reproduction: go test ./weed/s3api -run 'TestValidateV2AuthHeader/algorithm_prefix_without_space|TestDoesSignV2Match/malformed_auth_-_no_space_after_AWS' -count=1 fails before the fix because AWSXAKIA... is accepted.

Validation: go test ./weed/s3api -run 'TestValidateV2AuthHeader/algorithm_prefix_without_space|TestDoesSignV2Match/malformed_auth_-_no_space_after_AWS' -count=1; go test ./weed/s3api -count=1; git diff --check; git diff --cached --check

* Update weed/s3api/auth_signature_v2.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
This commit is contained in:
7y-9
2026-06-08 02:52:09 +08:00
committed by GitHub
parent 99bb5db1e3
commit 25f36cd13d
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
weed/s3api/auth_signature_v2.go
+2 -1
View File
@@ -239,7 +239,8 @@ func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorC
// Signature V2 authorization header format:
// Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg=
if !strings.HasPrefix(v2Auth, signV2Algorithm) {
const signV2AlgorithmPrefix = signV2Algorithm + " "
if !strings.HasPrefix(v2Auth, signV2AlgorithmPrefix) {
return "", s3err.ErrSignatureVersionNotSupported
}
weed/s3api/auth_signature_v2_test.go
+6 -1
View File
@@ -57,6 +57,11 @@ func TestValidateV2AuthHeader(t *testing.T) {
authHeader: "HMAC AKIAIOSFODNN7EXAMPLE:signature",
expectedError: s3err.ErrSignatureVersionNotSupported,
},
{
name: "algorithm prefix without space",
authHeader: "AWSXAKIAIOSFODNN7EXAMPLE:signature",
expectedError: s3err.ErrSignatureVersionNotSupported,
},
{
name: "missing colon separator",
authHeader: "AWS AKIAIOSFODNN7EXAMPLE",
@@ -232,7 +237,7 @@ func TestDoesSignV2Match(t *testing.T) {
query: "",
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
authOverride: "AWSAKIAIOSFODNN7EXAMPLE:signature==",
expectedError: s3err.ErrInvalidAccessKeyID,
expectedError: s3err.ErrSignatureVersionNotSupported,
expectIdent: false,
},
}