From 684b9d2f604eab06269a3a617989582135caa189 Mon Sep 17 00:00:00 2001 From: chrislu Date: Thu, 13 Nov 2025 20:47:16 -0800 Subject: [PATCH] Removed Premature Mutual Exclusivity Check --- weed/s3api/s3api_object_handlers.go | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index 585a2e7c1..995559507 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -247,15 +247,9 @@ func (s3a *S3ApiServer) hasConditionalHeaders(r *http.Request) bool { // hasSSECHeaders checks if the request has SSE-C decryption headers // SSE-C requires the customer to provide the decryption key in GET/HEAD requests -// According to S3 spec, SSE-C is mutually exclusive with SSE-S3 and SSE-KMS +// This check is intentionally broad to ensure metadata is fetched if any SSE-C headers are present. +// Stricter validation of mutually exclusive headers happens later in the request processing. func (s3a *S3ApiServer) hasSSECHeaders(r *http.Request) bool { - // If SSE-S3 or SSE-KMS headers are present, this is not an SSE-C request (mutually exclusive) - // The x-amz-server-side-encryption header is used for both SSE-S3 (AES256) and SSE-KMS (aws:kms) - if r.Header.Get(s3_constants.AmzServerSideEncryption) != "" || - r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId) != "" { - return false - } - return r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm) != "" || r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerKey) != "" || r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerKeyMD5) != ""