allow disabling strict sha256 validation with some broken clients (#13383)

with some broken clients allow non-strict validation of sha256 when ContentLength > 0, it has been found in the wild some applications that need this behavior. This shall be only allowed if `--no-compat` is used.
2021-10-08 12:40:34 -07:00 · 2021-10-08 12:40:34 -07:00 · 60f961dfe8
parent 0c48b1d993
commit 60f961dfe8
4 changed files with 30 additions and 5 deletions
--- a/cmd/fs-v1-multipart_test.go
+++ b/cmd/fs-v1-multipart_test.go
@ -58,9 +58,9 @@ func TestFSCleanupMultipartUploadsInRoutine(t *testing.T) {
 	}, obj.SetDriveCounts())

 	defer func() {
-		globalAPIConfig = apiConfig{
-			listQuorum: 3,
-		}
+		globalAPIConfig.init(api.Config{
+			ListQuorum: "optimal",
+		}, obj.SetDriveCounts())
 	}()

 	var cleanupWg sync.WaitGroup
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@ -587,6 +587,10 @@ func serverMain(ctx *cli.Context) {
 		logStartupMessage(color.RedBold(msg))
 	}

+	if !globalCLIContext.StrictS3Compat {
+		logStartupMessage(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production"))
+	}
+
 	if globalBrowserEnabled {
 		globalConsoleSrv, err = initConsoleServer()
 		if err != nil {
--- a/cmd/signature-v4-utils.go
+++ b/cmd/signature-v4-utils.go
@ -55,9 +55,30 @@ func skipContentSha256Cksum(r *http.Request) bool {
 		v, ok = r.Header[xhttp.AmzContentSha256]
 	}

+	// Skip if no header was set.
+	if !ok {
+		return true
+	}
+
 	// If x-amz-content-sha256 is set and the value is not
 	// 'UNSIGNED-PAYLOAD' we should validate the content sha256.
-	return !(ok && v[0] != unsignedPayload)
+	switch v[0] {
+	case unsignedPayload:
+		return true
+	case emptySHA256:
+		// some broken clients set empty-sha256
+		// with > 0 content-length in the body,
+		// we should skip such clients and allow
+		// blindly such insecure clients only if
+		// S3 strict compatibility is disabled.
+		if r.ContentLength > 0 && !globalCLIContext.StrictS3Compat {
+			// We return true only in situations when
+			// deployment has asked MinIO to allow for
+			// such broken clients and content-length > 0.
+			return true
+		}
+	}
+	return false
 }

 // Returns SHA256 for calculating canonical-request.
--- a/internal/config/api/api.go
+++ b/internal/config/api/api.go
@ -50,7 +50,7 @@ const (
 	EnvAPICorsAllowOrigin          = "MINIO_API_CORS_ALLOW_ORIGIN"
 	EnvAPIRemoteTransportDeadline  = "MINIO_API_REMOTE_TRANSPORT_DEADLINE"
 	EnvAPIListQuorum               = "MINIO_API_LIST_QUORUM"
-	EnvAPISecureCiphers            = "MINIO_API_SECURE_CIPHERS"
+	EnvAPISecureCiphers            = "MINIO_API_SECURE_CIPHERS" // default "on"
 	EnvAPIReplicationWorkers       = "MINIO_API_REPLICATION_WORKERS"
 	EnvAPIReplicationFailedWorkers = "MINIO_API_REPLICATION_FAILED_WORKERS"
 	EnvAPITransitionWorkers        = "MINIO_API_TRANSITION_WORKERS"