From b6392843f62c49b349d90bf39fe1cfa370676aef Mon Sep 17 00:00:00 2001 From: chrislu Date: Mon, 17 Nov 2025 12:52:24 -0800 Subject: [PATCH] decryptedReader will now be properly closed after use --- weed/s3api/s3api_object_handlers.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index f53460054..7a30ef6b3 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -1114,6 +1114,15 @@ func (s3a *S3ApiServer) streamFromVolumeServersWithSSE(w http.ResponseWriter, r return fmt.Errorf("failed to create decrypted reader: %w", err) } + // Close the decrypted reader to avoid leaking HTTP bodies + if closer, ok := decryptedReader.(io.Closer); ok { + defer func() { + if closeErr := closer.Close(); closeErr != nil { + glog.V(3).Infof("Error closing decrypted reader: %v", closeErr) + } + }() + } + // Stream full decrypted object to client tCopy := time.Now() buf := make([]byte, 128*1024)