From 7bde27032d1de66e65de3f32fa72fa9559daa387 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Tue, 5 Jul 2016 21:00:20 -0700
Subject: [PATCH] signv4: Validate preSigned payload properly. (#2106)

We need to only validate presigned payload only
if the payload is requested for, with default payload
i.e 'UNSIGNED-PAYLOAD' we don't need to validate.

Fixes #2105
---
 signature-v4.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/signature-v4.go b/signature-v4.go
index 0a6b90e10..7fe9c4216 100644
--- a/signature-v4.go
+++ b/signature-v4.go
@@ -217,7 +217,8 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, validate
 	}
 
 	// Hashed payload mismatch, return content sha256 mismatch.
-	if hashedPayload != req.URL.Query().Get("X-Amz-Content-Sha256") {
+	contentSha256 := req.URL.Query().Get("X-Amz-Content-Sha256")
+	if contentSha256 != "" && hashedPayload != contentSha256 {
 		return ErrContentSHA256Mismatch
 	}
 
@@ -238,7 +239,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, validate
 
 	// Construct new query.
 	query := make(url.Values)
-	if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
+	if contentSha256 != "" {
 		query.Set("X-Amz-Content-Sha256", hashedPayload)
 	}