diff options
Diffstat (limited to 'weed/s3api/s3api_bucket_handlers.go')
| -rw-r--r-- | weed/s3api/s3api_bucket_handlers.go | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 4222c911e..eaff6d442 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -59,12 +59,9 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques return } - identityId := "" - if identity != nil { - identityId = identity.Name - } - // Note: For unauthenticated requests, identityId remains empty. - // We never read from request headers to prevent reflecting unvalidated user input. + // Get authenticated identity from context (secure, cannot be spoofed) + // For unauthenticated requests, this returns empty string + identityId := s3_constants.GetIdentityNameFromContext(r) var listBuckets ListAllMyBucketsList for _, entry := range entries { @@ -164,7 +161,8 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request) } // Check if bucket already exists and handle ownership/settings - currentIdentityId := r.Header.Get(s3_constants.AmzIdentityId) + // Get authenticated identity from context (secure, cannot be spoofed) + currentIdentityId := s3_constants.GetIdentityNameFromContext(r) // Check collection existence first collectionExists := false @@ -247,11 +245,12 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request) } fn := func(entry *filer_pb.Entry) { - if identityId := r.Header.Get(s3_constants.AmzIdentityId); identityId != "" { + // Reuse currentIdentityId from above (already retrieved from context) + if currentIdentityId != "" { if entry.Extended == nil { entry.Extended = make(map[string][]byte) } - entry.Extended[s3_constants.AmzIdentityId] = []byte(identityId) + entry.Extended[s3_constants.AmzIdentityId] = []byte(currentIdentityId) } } @@ -576,7 +575,8 @@ func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool { return true } - identityId := r.Header.Get(s3_constants.AmzIdentityId) + // Get authenticated identity from context (secure, cannot be spoofed) + identityId := s3_constants.GetIdentityNameFromContext(r) if id, ok := entry.Extended[s3_constants.AmzIdentityId]; ok { if identityId != string(id) { glog.V(3).Infof("hasAccess: %s != %s (entry.Extended = %v)", identityId, id, entry.Extended) |