aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2024-02-27 22:59:30 +0100
committerAlex Auvolat <alex@adnab.me>2024-02-27 22:59:30 +0100
commit6aa702dc813c205ef9eaabf38ef15fefcab884f7 (patch)
treebe24c8063bc65c3addb6814cea7f4cacfc73da29
parent2aa049c781be87ae77e334996558fd82a2409506 (diff)
downloadgarage-6aa702dc813c205ef9eaabf38ef15fefcab884f7.tar.gz
garage-6aa702dc813c205ef9eaabf38ef15fefcab884f7.zip
[fix-presigned] PostObject: verify X-Amz-Algorithm
-rw-r--r--src/api/signature/payload.rs10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index 29ed7081..8841a5e5 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -449,6 +449,16 @@ impl Authorization {
}
pub(crate) fn parse_form(params: &HeaderMap) -> Result<Self, Error> {
+ let algorithm = params
+ .get(X_AMZ_ALGORITHM)
+ .ok_or_bad_request("Missing X-Amz-Algorithm header")?
+ .to_str()?;
+ if algorithm != AWS4_HMAC_SHA256 {
+ return Err(Error::bad_request(
+ "Unsupported authorization method".to_string(),
+ ));
+ }
+
let credential = params
.get(X_AMZ_CREDENTIAL)
.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?