fix DoS vulnerability in request authentication (#5887)

This commit fixes a DoS vulnerability in the
request authentication. The root cause is an 'unlimited'
read-into-RAM from the request body.

Since this read happens before the request authentication
is verified the vulnerability can be exploit without any
access privileges.

This commit limits the size of the request body to 3 MB.
This is about the same size as AWS. The limit seems to be
between 1.6 and 3.2 MB - depending on the AWS machine which
is handling the request.
master
Andreas Auernhammer 7 years ago committed by Dee Koder
parent 9439dfef64
commit c5a00e513c
  1. 7
      cmd/auth-handler.go
  2. 3
      cmd/globals.go

@ -22,6 +22,7 @@ import (
"encoding/base64"
"encoding/hex"
"errors"
"io"
"io/ioutil"
"net/http"
"strings"
@ -153,10 +154,10 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
var locationConstraint string
if action == policy.CreateBucketAction {
// To extract region from XML in request body, get copy of request body.
payload, err := ioutil.ReadAll(r.Body)
payload, err := ioutil.ReadAll(io.LimitReader(r.Body, maxLocationConstraintSize))
if err != nil {
logger.LogIf(ctx, err)
return ErrAccessDenied
return ErrMalformedXML
}
// Populate payload to extract location constraint.
@ -165,7 +166,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
var s3Error APIErrorCode
locationConstraint, s3Error = parseLocationConstraint(r)
if s3Error != ErrNone {
return ErrAccessDenied
return s3Error
}
// Populate payload again to handle it in HTTP handler.

@ -76,6 +76,9 @@ const (
globalMultipartExpiry = time.Hour * 24 * 14 // 2 weeks.
// Cleanup interval when the stale multipart cleanup is initiated.
globalMultipartCleanupInterval = time.Hour * 24 // 24 hrs.
// Limit of location constraint XML for unauthenticted PUT bucket operations.
maxLocationConstraintSize = 3 * humanize.MiByte
)
var (

Loading…
Cancel
Save