From d07b5b77206c58037161b16c06a9586c7b67107e Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 1 Dec 2025 17:17:18 -0800 Subject: [PATCH] Fix checksum validation for unsigned streaming uploads - Always validate checksum for data integrity regardless of signing - Correct checksum value in test case - Addresses PR review feedback about checksum verification --- weed/s3api/chunked_bug_reproduction_test.go | 2 +- weed/s3api/chunked_reader_v4.go | 16 +++++++--------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/weed/s3api/chunked_bug_reproduction_test.go b/weed/s3api/chunked_bug_reproduction_test.go index d16709c03..dc02bc282 100644 --- a/weed/s3api/chunked_bug_reproduction_test.go +++ b/weed/s3api/chunked_bug_reproduction_test.go @@ -20,7 +20,7 @@ func TestChunkedEncodingMixedFormat(t *testing.T) { mixedFormatPayload := "c;chunk-signature=347f6c62acd95b7c6ae18648776024a9e8cd6151184a5e777ea8e1d9b4e45b3c\r\n" + "hello world\n\r\n" + "0;chunk-signature=1a99b7790b8db0f4bfc048c8802056c3179d561e40c073167e79db5f1a6af4b2\r\n" + - "x-amz-checksum-crc32:rhg7LQ==\r\n" + + "x-amz-checksum-crc32:rwg7LQ==\r\n" + "\r\n" // Create HTTP request with unsigned streaming headers diff --git a/weed/s3api/chunked_reader_v4.go b/weed/s3api/chunked_reader_v4.go index 676d68fd1..52d7007aa 100644 --- a/weed/s3api/chunked_reader_v4.go +++ b/weed/s3api/chunked_reader_v4.go @@ -320,15 +320,13 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) { return 0, cr.err } - // Check checksum only for signed streaming - if cr.cred != nil { - computedChecksum := cr.checkSumWriter.Sum(nil) - base64Checksum := base64.StdEncoding.EncodeToString(computedChecksum) - if string(extractedChecksum) != base64Checksum { - glog.V(3).Infof("payload checksum '%s' does not match provided checksum '%s'", base64Checksum, string(extractedChecksum)) - cr.err = errors.New(s3err.ErrMsgPayloadChecksumMismatch) - return 0, cr.err - } + // Validate checksum for data integrity (required for both signed and unsigned streaming with trailers) + computedChecksum := cr.checkSumWriter.Sum(nil) + base64Checksum := base64.StdEncoding.EncodeToString(computedChecksum) + if string(extractedChecksum) != base64Checksum { + glog.V(3).Infof("payload checksum '%s' does not match provided checksum '%s'", base64Checksum, string(extractedChecksum)) + cr.err = errors.New(s3err.ErrMsgPayloadChecksumMismatch) + return 0, cr.err } // TODO: Extract signature from trailer chunk and verify it.