From 25f36cd13dee27bfee5c0400b93f97eb6c95f803 Mon Sep 17 00:00:00 2001 From: 7y-9 Date: Mon, 8 Jun 2026 02:52:09 +0800 Subject: [PATCH] fix(s3api): require space in v2 auth prefix (#9852) * fix(s3api): require space in v2 auth prefix Problem: Signature V2 Authorization headers with a malformed algorithm token such as AWSX... are accepted as if they were AWS ... headers. Root cause: validateV2AuthHeader checks HasPrefix("AWS") but then slices past an assumed trailing space, so an extra character after AWS is skipped and the rest is parsed as credentials. Fix: Require the Authorization header to start with the exact AWS plus space prefix before parsing fields. Reproduction: go test ./weed/s3api -run 'TestValidateV2AuthHeader/algorithm_prefix_without_space|TestDoesSignV2Match/malformed_auth_-_no_space_after_AWS' -count=1 fails before the fix because AWSXAKIA... is accepted. Validation: go test ./weed/s3api -run 'TestValidateV2AuthHeader/algorithm_prefix_without_space|TestDoesSignV2Match/malformed_auth_-_no_space_after_AWS' -count=1; go test ./weed/s3api -count=1; git diff --check; git diff --cached --check * Update weed/s3api/auth_signature_v2.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: Chris Lu Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- weed/s3api/auth_signature_v2.go | 3 ++- weed/s3api/auth_signature_v2_test.go | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/weed/s3api/auth_signature_v2.go b/weed/s3api/auth_signature_v2.go index 786243f84..9f2167c43 100644 --- a/weed/s3api/auth_signature_v2.go +++ b/weed/s3api/auth_signature_v2.go @@ -239,7 +239,8 @@ func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorC // Signature V2 authorization header format: // Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg= - if !strings.HasPrefix(v2Auth, signV2Algorithm) { + const signV2AlgorithmPrefix = signV2Algorithm + " " + if !strings.HasPrefix(v2Auth, signV2AlgorithmPrefix) { return "", s3err.ErrSignatureVersionNotSupported } diff --git a/weed/s3api/auth_signature_v2_test.go b/weed/s3api/auth_signature_v2_test.go index d876c5abe..01b7156aa 100644 --- a/weed/s3api/auth_signature_v2_test.go +++ b/weed/s3api/auth_signature_v2_test.go @@ -57,6 +57,11 @@ func TestValidateV2AuthHeader(t *testing.T) { authHeader: "HMAC AKIAIOSFODNN7EXAMPLE:signature", expectedError: s3err.ErrSignatureVersionNotSupported, }, + { + name: "algorithm prefix without space", + authHeader: "AWSXAKIAIOSFODNN7EXAMPLE:signature", + expectedError: s3err.ErrSignatureVersionNotSupported, + }, { name: "missing colon separator", authHeader: "AWS AKIAIOSFODNN7EXAMPLE", @@ -232,7 +237,7 @@ func TestDoesSignV2Match(t *testing.T) { query: "", headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"}, authOverride: "AWSAKIAIOSFODNN7EXAMPLE:signature==", - expectedError: s3err.ErrInvalidAccessKeyID, + expectedError: s3err.ErrSignatureVersionNotSupported, expectIdent: false, }, }