From 719f8c258a19f110b7d5b36c4fba1616ad45bfef Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Sun, 5 Nov 2017 03:02:19 -0800 Subject: [PATCH] fix content-sha256 verification for presigned PUT (#5137) It is possible that x-amz-content-sha256 is set through the query params in case of presigned PUT calls, make sure that we validate the incoming x-amz-content-sha256 properly. Current code simply just allows this without honoring the set x-amz-content-sha256, fix it. --- cmd/object-handlers.go | 4 ++-- cmd/signature-v4.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index d5a91e2ff..d94cf199a 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -569,7 +569,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req return } if !skipContentSha256Cksum(r) { - sha256hex = r.Header.Get("X-Amz-Content-Sha256") + sha256hex = getContentSha256Cksum(r) } } @@ -866,7 +866,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http } if !skipContentSha256Cksum(r) { - sha256hex = r.Header.Get("X-Amz-Content-Sha256") + sha256hex = getContentSha256Cksum(r) } } diff --git a/cmd/signature-v4.go b/cmd/signature-v4.go index 007a66922..b66bdc9b9 100644 --- a/cmd/signature-v4.go +++ b/cmd/signature-v4.go @@ -289,7 +289,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s /// Verify finally if signature is same. // Get canonical request. - presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, hashedPayload, encodedQuery, req.URL.Path, req.Method) + presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, encodedQuery, req.URL.Path, req.Method) // Get string to sign from canonical request. presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())