From ae08a97156ca27eea096a0191d871b66063e3d2b Mon Sep 17 00:00:00 2001 From: chrislu Date: Tue, 25 Nov 2025 14:31:40 -0800 Subject: [PATCH] validate bucket name --- weed/s3api/s3api_bucket_handlers.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 6300aa7ea..88e25a6c0 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -571,6 +571,11 @@ var ErrAutoCreatePermissionDenied = fmt.Errorf("permission denied - requires Adm // autoCreateBucket creates a bucket if it doesn't exist, setting the owner from the request context // Only users with admin permissions are allowed to auto-create buckets func (s3a *S3ApiServer) autoCreateBucket(r *http.Request, bucket string) error { + // Validate the bucket name before auto-creating + if err := s3bucket.VerifyS3BucketName(bucket); err != nil { + return fmt.Errorf("auto-create bucket %s: invalid bucket name: %w", bucket, err) + } + // Check if user has admin permissions if !s3a.isUserAdmin(r) { return fmt.Errorf("auto-create bucket %s: %w", bucket, ErrAutoCreatePermissionDenied)