Allow bucket to be missing from presigned post params

2026-04-25 20:44:55 +02:00 · 2026-01-18 15:04:56 +00:00
parent 3f4ab3a4a3
commit 79c7126b67
1 changed files with 17 additions and 1 deletions
--- a/src/api/s3/post_object.rs
+++ b/src/api/s3/post_object.rs
@@ -141,10 +141,26 @@ pub async fn handle_post_object(

 	let mut conditions = decoded_policy.into_conditions()?;

+	// If there are conditions on the bucket name, check these against the actual bucket_name rather
+	// than the one in params, which is allowed to be absent.
+	if let Some(conds) = conditions.params.remove("bucket") {
+		for cond in conds {
+			let ok = match cond {
+				Operation::Equal(s) => s.as_str() == bucket_name,
+				Operation::StartsWith(s) => bucket_name.starts_with(&s),
+			};
+			if !ok {
+				return Err(Error::bad_request(
+					"Key 'bucket' has value not allowed in policy",
+				));
+			}
+		}
+	}
+
 	for (param_key, value) in params.iter() {
 		let param_key = param_key.as_str();
 		match param_key {
-			"policy" | "x-amz-signature" => (), // this is always accepted, as it's required to validate other fields
+			"policy" | "x-amz-signature" | "bucket" => (), // this is always accepted, as it's required to validate other fields
 			"content-type" => {
 				let conds = conditions.params.remove("content-type").ok_or_else(|| {
 					Error::bad_request(format!("Key '{}' is not allowed in policy", param_key))