@ -156,6 +156,14 @@ func guessIsBrowserReq(req *http.Request) bool {
return strings . Contains ( req . Header . Get ( "User-Agent" ) , "Mozilla" )
}
// guessIsRPCReq - returns true if the request is for an RPC endpoint.
func guessIsRPCReq ( req * http . Request ) bool {
if req == nil {
return false
}
return req . Method == http . MethodConnect && req . Proto == "HTTP/1.0"
}
func ( h redirectHandler ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) {
aType := getRequestAuthType ( r )
// Re-direct only for JWT and anonymous requests from browser.
@ -202,21 +210,23 @@ func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
// Adds verification for incoming paths.
type minioPrivate BucketHandler struct {
type minioReserved BucketHandler struct {
handler http . Handler
}
func setPrivate BucketHandler ( h http . Handler ) http . Handler {
return minioPrivate BucketHandler { h }
func setReserved BucketHandler ( h http . Handler ) http . Handler {
return minioReserved BucketHandler { h }
}
func ( h minioPrivateBucketHandler ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) {
// For all non browser requests, reject access to 'minioReservedBucketPath'.
func ( h minioReservedBucketHandler ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) {
if ! guessIsRPCReq ( r ) && ! guessIsBrowserReq ( r ) {
// For all non browser, non RPC requests, reject access to 'minioReservedBucketPath'.
bucketName , _ := urlPath2BucketObjectName ( r . URL )
if ! guessIsBrowserReq ( r ) && ( isMinioReservedBucket ( bucketName ) || isMinioMetaBucket ( bucketName ) ) {
if isMinioReservedBucket ( bucketName ) || isMinioMetaBucket ( bucketName ) {
writeErrorResponse ( w , ErrAllAccessDisabled , r . URL )
return
}
}
h . handler . ServeHTTP ( w , r )
}