viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
689b5b61bfd515dbbbd9e66d2c4b32ed864df761
seaweedfs/weed
T
History
7y-9 689b5b61bf fix(s3api): reject empty v4 signed header names (#9910) 
Problem: Signature V4 SignedHeaders parsing accepted empty header name segments such as host; or ;host. Malformed Authorization headers could continue into signature verification instead of failing during header parsing.

Root cause: parseSignedHeader only checked that the SignedHeaders value was non-empty, then split it on semicolons without validating each element.

Fix: reject empty or whitespace-only signed header elements with ErrMissingFields before returning the parsed header list.

Reproduction: go test ./weed/s3api -run TestParseSignedHeaderRejectsEmptyHeaderNames -count=1 failed before the fix because SignedHeaders=host; returned ErrNone.

Validation: gofmt -w weed/s3api/auth_signature_v4.go weed/s3api/auth_signature_v4_test.go; git diff --check; go test ./weed/s3api -run TestParseSignedHeaderRejectsEmptyHeaderNames -count=1; go test ./weed/s3api -count=1

Co-authored-by: Codex <noreply@openai.com>
2026-06-10 11:00:35 -07:00
..
admin
feat(admin): export full cluster volume list as JSON (#9876)
2026-06-08 15:01:02 -07:00
cluster
s3: route object reads to the key's owner filer (#9806)
2026-06-03 00:12:28 -07:00
command
fix(filer.sync): replicate a rename as an atomic move, not a no-op update (#9895)
2026-06-09 12:54:28 -07:00
credential
grpc: don't tear down the shared master connection on a caller's own timeout (#9775)
2026-06-01 15:11:02 -07:00
filer
Share metadata-log replays per chunk instead of per file (#9906)
2026-06-10 10:57:11 -07:00
filer_client
glog
iam
fix(iam): return a valid user ARN from CreateUser and GetUser (#9794)
2026-06-02 22:01:57 -07:00
iamapi
fix(iam): return a valid user ARN from CreateUser and GetUser (#9794)
2026-06-02 22:01:57 -07:00
images
kms
mount
Fix filer metadata-replay OOM under mount reconnect storms (#9901)
2026-06-09 11:43:12 -07:00
mq
fix(mq): don't cache topic non-existence on transient filer errors
2026-06-08 12:04:48 -07:00
notification
operation
operation: index VidCache by map instead of slice (#9853)
2026-06-07 11:46:57 -07:00
pb
Fix filer metadata-replay OOM under mount reconnect storms (#9901)
2026-06-09 11:43:12 -07:00
plugin/worker
Treat co-located volume servers as one fault domain when balancing and allocating (#9854)
2026-06-07 14:14:45 -07:00
query
remote_storage
fix(remote): correct content and permissions when syncing/caching remote objects (#9879)
2026-06-08 13:55:53 -07:00
replication
fix(filer.sync): replicate a rename as an atomic move, not a no-op update (#9895)
2026-06-09 12:54:28 -07:00
s3api
fix(s3api): reject empty v4 signed header names (#9910)
2026-06-10 11:00:35 -07:00
security
security: hot-reload JWT signing keys on SIGHUP (#9826)
2026-06-04 22:26:08 -07:00
sequence
server
Fix filer metadata-replay OOM under mount reconnect storms (#9901)
2026-06-09 11:43:12 -07:00
sftpd
Don't mangle filer paths with the OS separator on Windows (#9878)
2026-06-08 13:56:02 -07:00
shell
fix(shell): move files into existing destination directories (#9887)
2026-06-08 23:42:13 -07:00
static
stats
feat(filer): object size distribution metric and dashboard panels (#9902)
2026-06-09 10:41:11 -07:00
storage
Make shell command ec.scrub return shard details upon scrub failures in LOCAL mode. (#9913)
2026-06-10 10:55:16 -07:00
telemetry
topology
vacuum: compact a read-only volume when an explicit volumeId is given (#9861)
2026-06-07 22:42:51 -07:00
util
Bound the metadata-log flush queue (#9907)
2026-06-10 10:57:30 -07:00
wdclient
grpc: don't tear down the shared master connection on a caller's own timeout (#9775)
2026-06-01 15:11:02 -07:00
worker
ec.balance: verify shard landed on destination before deleting the source (#9858)
2026-06-07 21:31:53 -07:00
Makefile
weed.go