[fix-presigned] PostObject: verify X-Amz-Algorithm

author: Alex Auvolat <alex@adnab.me> 2024-02-27 22:59:30 +0100
committer: Alex Auvolat <alex@adnab.me> 2024-02-28 12:24:20 +0100
commit: 2efa9c5a1a568e28e41af790750f224d334d4e3d (patch)
tree: be24c8063bc65c3addb6814cea7f4cacfc73da29 /src
parent: a8cb8e8a8b0507a9035083d64eb46cde7d39005d (diff)
download: garage-2efa9c5a1a568e28e41af790750f224d334d4e3d.tar.gz
garage-2efa9c5a1a568e28e41af790750f224d334d4e3d.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index 29ed7081..8841a5e5 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -449,6 +449,16 @@ impl Authorization {
 	}
 
 	pub(crate) fn parse_form(params: &HeaderMap) -> Result<Self, Error> {
+		let algorithm = params
+			.get(X_AMZ_ALGORITHM)
+			.ok_or_bad_request("Missing X-Amz-Algorithm header")?
+			.to_str()?;
+		if algorithm != AWS4_HMAC_SHA256 {
+			return Err(Error::bad_request(
+				"Unsupported authorization method".to_string(),
+			));
+		}
+
 		let credential = params
 			.get(X_AMZ_CREDENTIAL)
 			.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?
author	Alex Auvolat <alex@adnab.me>	2024-02-27 22:59:30 +0100
committer	Alex Auvolat <alex@adnab.me>	2024-02-28 12:24:20 +0100
commit	2efa9c5a1a568e28e41af790750f224d334d4e3d (patch)
tree	be24c8063bc65c3addb6814cea7f4cacfc73da29 /src
parent	a8cb8e8a8b0507a9035083d64eb46cde7d39005d (diff)
download	garage-2efa9c5a1a568e28e41af790750f224d334d4e3d.tar.gz garage-2efa9c5a1a568e28e41af790750f224d334d4e3d.zip