From c2c5b09bb1bccbfe5dd60a6cb7862993c211def2 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Thu, 6 Feb 2020 08:29:38 +0530
Subject: [PATCH] Avoid object names with '//' to avoid hash inconsistencies
 (#8946)

This is to fix a situation where an object name incorrectly
is sent with '//' in its path heirarchy, we should reject
such object names because they may be hashed to a set where
the object might not originally belong because, this can
cause situations where once object is uploaded we cannot
delete it anymore.

Fixes #8873
---
 buildscripts/gateway-tests.sh  | 4 +++-
 cmd/object-api-input-checks.go | 1 +
 cmd/object-api-utils.go        | 5 ++++-
 cmd/object-api-utils_test.go   | 4 +++-
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/buildscripts/gateway-tests.sh b/buildscripts/gateway-tests.sh
index 4bf132457..7571bb3c3 100755
--- a/buildscripts/gateway-tests.sh
+++ b/buildscripts/gateway-tests.sh
@@ -46,7 +46,9 @@ function main()
     gw_pid="$(start_minio_gateway_s3)"
 
     SERVER_ENDPOINT=127.0.0.1:24240 ENABLE_HTTPS=0 ACCESS_KEY=minio \
-                   SECRET_KEY=minio123 MINT_MODE="full" /mint/entrypoint.sh
+                   SECRET_KEY=minio123 MINT_MODE="full" /mint/entrypoint.sh \
+                   awscli aws-sdk-java aws-sdk-ruby mc minio-go minio-js s3cmd \
+                   aws-sdk-go aws-sdk-php healthcheck minio-dotnet minio-py security
     rv=$?
 
     kill "$sr_pid"
diff --git a/cmd/object-api-input-checks.go b/cmd/object-api-input-checks.go
index dfe971ff6..8b31211e1 100644
--- a/cmd/object-api-input-checks.go
+++ b/cmd/object-api-input-checks.go
@@ -162,6 +162,7 @@ func checkObjectArgs(ctx context.Context, bucket, object string, obj ObjectLayer
 	if err := checkObjectNameForLengthAndSlash(bucket, object); err != nil {
 		return err
 	}
+
 	// Validates object name validity after bucket exists.
 	if !IsValidObjectName(object) {
 		return ObjectNameInvalid{
diff --git a/cmd/object-api-utils.go b/cmd/object-api-utils.go
index 9388eb698..58b2ac555 100644
--- a/cmd/object-api-utils.go
+++ b/cmd/object-api-utils.go
@@ -166,7 +166,10 @@ func IsValidObjectPrefix(object string) bool {
 		return false
 	}
 	// Reject unsupported characters in object name.
-	if strings.ContainsAny(object, "\\") {
+	if strings.ContainsAny(object, `\`) {
+		return false
+	}
+	if strings.Contains(object, `//`) {
 		return false
 	}
 	return true
diff --git a/cmd/object-api-utils_test.go b/cmd/object-api-utils_test.go
index ec324ea6b..0d9f9e0a8 100644
--- a/cmd/object-api-utils_test.go
+++ b/cmd/object-api-utils_test.go
@@ -122,7 +122,9 @@ func TestIsValidObjectName(t *testing.T) {
 		{" ../etc", false},
 		{"./././", false},
 		{"./etc", false},
-		{"contains-\\-backslash", false},
+		{`contains-\-backslash`, false},
+		{`contains//double/forwardslash`, false},
+		{`//contains/double-forwardslash-prefix`, false},
 		{string([]byte{0xff, 0xfe, 0xfd}), false},
 	}