From 9e7c7e926f7c36248990d7d96472d46ac4662aff Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Wed, 26 Nov 2025 12:03:24 -0800
Subject: [PATCH] validation for the colon extraction in expectedAuth

---
 weed/s3api/auth_signature_v2.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/weed/s3api/auth_signature_v2.go b/weed/s3api/auth_signature_v2.go
index fb659db0f..f52879629 100644
--- a/weed/s3api/auth_signature_v2.go
+++ b/weed/s3api/auth_signature_v2.go
@@ -117,14 +117,25 @@ func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity
 	}
 
 	expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header)
+
+	// Extract signatures from both auth headers
 	v2Signature := ""
 	expectedV2Signature := ""
+
+	// Extract signature from request header
 	if idx := strings.LastIndex(v2Auth, ":"); idx != -1 {
 		v2Signature = v2Auth[idx+1:]
 	}
+
+	// Extract signature from expected auth header
+	// This should always succeed if signatureV2 is working correctly
 	if idx := strings.LastIndex(expectedAuth, ":"); idx != -1 {
 		expectedV2Signature = expectedAuth[idx+1:]
+	} else {
+		// This indicates a bug in signatureV2 function
+		return nil, s3err.ErrSignatureDoesNotMatch
 	}
+
 	if !compareSignatureV2(v2Signature, expectedV2Signature) {
 		return nil, s3err.ErrSignatureDoesNotMatch
 	}