web-handler: Allow anonymous download of zip (#4309)

fixes #4230
master
Krishna Srinivas 8 years ago committed by Harshavardhana
parent d1971b9a4d
commit bb292e4e38
  1. 22
      cmd/web-handlers.go

@ -21,6 +21,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os" "os"
@ -567,19 +568,26 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
return return
} }
token := r.URL.Query().Get("token") // Auth is done after reading the body to accommodate for anonymous requests
// when bucket policy is enabled.
if !isAuthTokenValid(token) {
writeWebErrorResponse(w, errAuthentication)
return
}
var args DownloadZipArgs var args DownloadZipArgs
decodeErr := json.NewDecoder(r.Body).Decode(&args) tenKB := 10 * 1024 // To limit r.Body to take care of misbehaving anonymous client.
decodeErr := json.NewDecoder(io.LimitReader(r.Body, int64(tenKB))).Decode(&args)
if decodeErr != nil { if decodeErr != nil {
writeWebErrorResponse(w, decodeErr) writeWebErrorResponse(w, decodeErr)
return return
} }
token := r.URL.Query().Get("token")
if !isAuthTokenValid(token) {
for _, object := range args.Objects {
if !isBucketActionAllowed("s3:GetObject", args.BucketName, pathJoin(args.Prefix, object)) {
writeWebErrorResponse(w, errAuthentication)
return
}
}
}
archive := zip.NewWriter(w) archive := zip.NewWriter(w)
defer archive.Close() defer archive.Close()

Loading…
Cancel
Save