From 60f961dfe8cdfd492a35a04e2ac0def68e13c847 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Fri, 8 Oct 2021 12:40:34 -0700 Subject: [PATCH] allow disabling strict sha256 validation with some broken clients (#13383) with some broken clients allow non-strict validation of sha256 when ContentLength > 0, it has been found in the wild some applications that need this behavior. This shall be only allowed if `--no-compat` is used. --- cmd/fs-v1-multipart_test.go | 6 +++--- cmd/server-main.go | 4 ++++ cmd/signature-v4-utils.go | 23 ++++++++++++++++++++++- internal/config/api/api.go | 2 +- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/cmd/fs-v1-multipart_test.go b/cmd/fs-v1-multipart_test.go index 72063efc9..16210ea65 100644 --- a/cmd/fs-v1-multipart_test.go +++ b/cmd/fs-v1-multipart_test.go @@ -58,9 +58,9 @@ func TestFSCleanupMultipartUploadsInRoutine(t *testing.T) { }, obj.SetDriveCounts()) defer func() { - globalAPIConfig = apiConfig{ - listQuorum: 3, - } + globalAPIConfig.init(api.Config{ + ListQuorum: "optimal", + }, obj.SetDriveCounts()) }() var cleanupWg sync.WaitGroup diff --git a/cmd/server-main.go b/cmd/server-main.go index eeef4a9be..b31695060 100644 --- a/cmd/server-main.go +++ b/cmd/server-main.go @@ -587,6 +587,10 @@ func serverMain(ctx *cli.Context) { logStartupMessage(color.RedBold(msg)) } + if !globalCLIContext.StrictS3Compat { + logStartupMessage(color.RedBold("WARNING: Strict AWS S3 compatible incoming PUT, POST content payload validation is turned off, caution is advised do not use in production")) + } + if globalBrowserEnabled { globalConsoleSrv, err = initConsoleServer() if err != nil { diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index bfdeea8e4..e74d4428e 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -55,9 +55,30 @@ func skipContentSha256Cksum(r *http.Request) bool { v, ok = r.Header[xhttp.AmzContentSha256] } + // Skip if no header was set. + if !ok { + return true + } + // If x-amz-content-sha256 is set and the value is not // 'UNSIGNED-PAYLOAD' we should validate the content sha256. - return !(ok && v[0] != unsignedPayload) + switch v[0] { + case unsignedPayload: + return true + case emptySHA256: + // some broken clients set empty-sha256 + // with > 0 content-length in the body, + // we should skip such clients and allow + // blindly such insecure clients only if + // S3 strict compatibility is disabled. + if r.ContentLength > 0 && !globalCLIContext.StrictS3Compat { + // We return true only in situations when + // deployment has asked MinIO to allow for + // such broken clients and content-length > 0. + return true + } + } + return false } // Returns SHA256 for calculating canonical-request. diff --git a/internal/config/api/api.go b/internal/config/api/api.go index 5494ac42f..bfb0cb181 100644 --- a/internal/config/api/api.go +++ b/internal/config/api/api.go @@ -50,7 +50,7 @@ const ( EnvAPICorsAllowOrigin = "MINIO_API_CORS_ALLOW_ORIGIN" EnvAPIRemoteTransportDeadline = "MINIO_API_REMOTE_TRANSPORT_DEADLINE" EnvAPIListQuorum = "MINIO_API_LIST_QUORUM" - EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS" + EnvAPISecureCiphers = "MINIO_API_SECURE_CIPHERS" // default "on" EnvAPIReplicationWorkers = "MINIO_API_REPLICATION_WORKERS" EnvAPIReplicationFailedWorkers = "MINIO_API_REPLICATION_FAILED_WORKERS" EnvAPITransitionWorkers = "MINIO_API_TRANSITION_WORKERS"