diff options
author | Alex Auvolat <alex@adnab.me> | 2024-02-27 22:59:30 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2024-02-27 22:59:30 +0100 |
commit | 6aa702dc813c205ef9eaabf38ef15fefcab884f7 (patch) | |
tree | be24c8063bc65c3addb6814cea7f4cacfc73da29 | |
parent | 2aa049c781be87ae77e334996558fd82a2409506 (diff) | |
download | garage-6aa702dc813c205ef9eaabf38ef15fefcab884f7.tar.gz garage-6aa702dc813c205ef9eaabf38ef15fefcab884f7.zip |
[fix-presigned] PostObject: verify X-Amz-Algorithm
-rw-r--r-- | src/api/signature/payload.rs | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index 29ed7081..8841a5e5 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -449,6 +449,16 @@ impl Authorization { } pub(crate) fn parse_form(params: &HeaderMap) -> Result<Self, Error> { + let algorithm = params + .get(X_AMZ_ALGORITHM) + .ok_or_bad_request("Missing X-Amz-Algorithm header")? + .to_str()?; + if algorithm != AWS4_HMAC_SHA256 { + return Err(Error::bad_request( + "Unsupported authorization method".to_string(), + )); + } + let credential = params .get(X_AMZ_CREDENTIAL) .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))? |