diff --git a/pkg/server/api/bucket-handlers.go b/pkg/server/api/bucket-handlers.go index d5b34d35a..eb5911f88 100644 --- a/pkg/server/api/bucket-handlers.go +++ b/pkg/server/api/bucket-handlers.go @@ -88,6 +88,10 @@ func (api Minio) ListMultipartUploadsHandler(w http.ResponseWriter, req *http.Re } resources := getBucketMultipartResources(req.URL.Query()) + if resources.MaxUploads < 0 { + writeErrorResponse(w, req, InvalidMaxUploads, acceptsContentType, req.URL.Path) + return + } if resources.MaxUploads == 0 { resources.MaxUploads = maxObjectList } @@ -155,6 +159,10 @@ func (api Minio) ListObjectsHandler(w http.ResponseWriter, req *http.Request) { } resources := getBucketResources(req.URL.Query()) + if resources.Maxkeys < 0 { + writeErrorResponse(w, req, InvalidMaxKeys, acceptsContentType, req.URL.Path) + return + } if resources.Maxkeys == 0 { resources.Maxkeys = maxObjectList } diff --git a/pkg/server/api/errors.go b/pkg/server/api/errors.go index 7879a18ba..e0003cbf9 100644 --- a/pkg/server/api/errors.go +++ b/pkg/server/api/errors.go @@ -52,6 +52,10 @@ const ( InvalidDigest InvalidRange InvalidRequest + InvalidMaxKeys + InvalidMaxUploads + InvalidMaxParts + InvalidPartNumberMarker MalformedXML MissingContentLength MissingRequestBodyError @@ -69,11 +73,31 @@ const ( // Error codes, non exhaustive list - standard HTTP errors const ( - NotAcceptable = iota + 25 + NotAcceptable = iota + 29 ) // Error code to Error structure map var errorCodeResponse = map[int]Error{ + InvalidMaxUploads: { + Code: "InvalidArgument", + Description: "Argument maxUploads must be an integer between 0 and 2147483647", + HTTPStatusCode: http.StatusBadRequest, + }, + InvalidMaxKeys: { + Code: "InvalidArgument", + Description: "Argument maxKeys must be an integer between 0 and 2147483647", + HTTPStatusCode: http.StatusBadRequest, + }, + InvalidMaxParts: { + Code: "InvalidArgument", + Description: "Argument maxParts must be an integer between 1 and 10000", + HTTPStatusCode: http.StatusBadRequest, + }, + InvalidPartNumberMarker: { + Code: "InvalidArgument", + Description: "Argument partNumberMarker must be an integer", + HTTPStatusCode: http.StatusBadRequest, + }, AccessDenied: { Code: "AccessDenied", Description: "Access Denied", diff --git a/pkg/server/api/object-handlers.go b/pkg/server/api/object-handlers.go index f1a5d73d5..e51fb1bac 100644 --- a/pkg/server/api/object-handlers.go +++ b/pkg/server/api/object-handlers.go @@ -473,6 +473,14 @@ func (api Minio) ListObjectPartsHandler(w http.ResponseWriter, req *http.Request } objectResourcesMetadata := getObjectResources(req.URL.Query()) + if objectResourcesMetadata.PartNumberMarker < 0 { + writeErrorResponse(w, req, InvalidPartNumberMarker, acceptsContentType, req.URL.Path) + return + } + if objectResourcesMetadata.MaxParts < 0 { + writeErrorResponse(w, req, InvalidMaxParts, acceptsContentType, req.URL.Path) + return + } if objectResourcesMetadata.MaxParts == 0 { objectResourcesMetadata.MaxParts = maxPartsList } diff --git a/pkg/server/api_donut_cache_test.go b/pkg/server/api_donut_cache_test.go index a0afb142d..a7ec5f4f9 100644 --- a/pkg/server/api_donut_cache_test.go +++ b/pkg/server/api_donut_cache_test.go @@ -548,6 +548,22 @@ func (s *MyAPIDonutCacheSuite) TestListObjectsHandlerErrors(c *C) { response, err = client.Do(request) c.Assert(err, IsNil) verifyError(c, response, "NoSuchBucket", "The specified bucket does not exist.", http.StatusNotFound) + + request, err = http.NewRequest("PUT", testAPIDonutCacheServer.URL+"/objecthandlererrors", nil) + c.Assert(err, IsNil) + request.Header.Add("x-amz-acl", "private") + + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + c.Assert(response.StatusCode, Equals, http.StatusOK) + + request, err = http.NewRequest("GET", testAPIDonutCacheServer.URL+"/objecthandlererrors?max-keys=-2", nil) + c.Assert(err, IsNil) + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response, "InvalidArgument", "Argument maxKeys must be an integer between 0 and 2147483647", http.StatusBadRequest) } func (s *MyAPIDonutCacheSuite) TestPutBucketErrors(c *C) { @@ -787,6 +803,12 @@ func (s *MyAPIDonutCacheSuite) TestObjectMultipartList(c *C) { c.Assert(err, IsNil) c.Assert(response3.StatusCode, Equals, http.StatusOK) + request, err = http.NewRequest("GET", testAPIDonutCacheServer.URL+"/objectmultipartlist/object?max-parts=-2&uploadId="+uploadID, nil) + c.Assert(err, IsNil) + + response4, err := client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response4, "InvalidArgument", "Argument maxParts must be an integer between 1 and 10000", http.StatusBadRequest) } func (s *MyAPIDonutCacheSuite) TestObjectMultipart(c *C) { diff --git a/pkg/server/api_donut_test.go b/pkg/server/api_donut_test.go index 23b370c19..6d7e9dfa0 100644 --- a/pkg/server/api_donut_test.go +++ b/pkg/server/api_donut_test.go @@ -568,6 +568,22 @@ func (s *MyAPIDonutSuite) TestListObjectsHandlerErrors(c *C) { response, err = client.Do(request) c.Assert(err, IsNil) verifyError(c, response, "NoSuchBucket", "The specified bucket does not exist.", http.StatusNotFound) + + request, err = http.NewRequest("PUT", testAPIDonutServer.URL+"/objecthandlererrors", nil) + c.Assert(err, IsNil) + request.Header.Add("x-amz-acl", "private") + + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + c.Assert(response.StatusCode, Equals, http.StatusOK) + + request, err = http.NewRequest("GET", testAPIDonutServer.URL+"/objecthandlererrors?max-keys=-2", nil) + c.Assert(err, IsNil) + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response, "InvalidArgument", "Argument maxKeys must be an integer between 0 and 2147483647", http.StatusBadRequest) } func (s *MyAPIDonutSuite) TestPutBucketErrors(c *C) { @@ -807,6 +823,12 @@ func (s *MyAPIDonutSuite) TestObjectMultipartList(c *C) { c.Assert(err, IsNil) c.Assert(response3.StatusCode, Equals, http.StatusOK) + request, err = http.NewRequest("GET", testAPIDonutServer.URL+"/objectmultipartlist/object?max-parts=-2&uploadId="+uploadID, nil) + c.Assert(err, IsNil) + + response4, err := client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response4, "InvalidArgument", "Argument maxParts must be an integer between 1 and 10000", http.StatusBadRequest) } func (s *MyAPIDonutSuite) TestObjectMultipart(c *C) { diff --git a/pkg/server/api_signature_v4_test.go b/pkg/server/api_signature_v4_test.go index 8c7b4463e..45fe75db8 100644 --- a/pkg/server/api_signature_v4_test.go +++ b/pkg/server/api_signature_v4_test.go @@ -560,6 +560,22 @@ func (s *MyAPISignatureV4Suite) TestListObjectsHandlerErrors(c *C) { response, err = client.Do(request) c.Assert(err, IsNil) verifyError(c, response, "NoSuchBucket", "The specified bucket does not exist.", http.StatusNotFound) + + request, err = s.newRequest("PUT", testSignatureV4Server.URL+"/objecthandlererrors", 0, nil) + c.Assert(err, IsNil) + request.Header.Add("x-amz-acl", "private") + + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + c.Assert(response.StatusCode, Equals, http.StatusOK) + + request, err = http.NewRequest("GET", testSignatureV4Server.URL+"/objecthandlererrors?max-keys=-2", nil) + c.Assert(err, IsNil) + client = http.Client{} + response, err = client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response, "InvalidArgument", "Argument maxKeys must be an integer between 0 and 2147483647", http.StatusBadRequest) } func (s *MyAPISignatureV4Suite) TestPutBucketErrors(c *C) { @@ -806,6 +822,12 @@ func (s *MyAPISignatureV4Suite) TestObjectMultipartList(c *C) { c.Assert(err, IsNil) c.Assert(response3.StatusCode, Equals, http.StatusOK) + request, err = http.NewRequest("GET", testSignatureV4Server.URL+"/objectmultipartlist/object?max-parts=-2&uploadId="+uploadID, nil) + c.Assert(err, IsNil) + + response4, err := client.Do(request) + c.Assert(err, IsNil) + verifyError(c, response4, "InvalidArgument", "Argument maxParts must be an integer between 1 and 10000", http.StatusBadRequest) } func (s *MyAPISignatureV4Suite) TestObjectMultipart(c *C) {