From d1f2d5cd0a836055c48a01c9319372c0b09408a6 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Tue, 18 Nov 2025 22:39:37 -0800
Subject: [PATCH] Handle bucket-default encryption config errors explicitly for
 multipart

---
 weed/s3api/filer_multipart.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/filer_multipart.go b/weed/s3api/filer_multipart.go
index 6d74c83b8..4b8fbaa62 100644
--- a/weed/s3api/filer_multipart.go
+++ b/weed/s3api/filer_multipart.go
@@ -7,6 +7,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"math"
 	"path/filepath"
@@ -792,7 +793,14 @@ func (s3a *S3ApiServer) prepareMultipartEncryptionConfig(r *http.Request, bucket
 	// This matches AWS S3 behavior and putToFiler() implementation
 	if !hasExplicitSSEKMS && !hasExplicitSSES3 {
 		encryptionConfig, err := s3a.GetBucketEncryptionConfig(bucket)
-		if err == nil && encryptionConfig != nil && encryptionConfig.SseAlgorithm != "" {
+		if err != nil {
+			// Check if this is just "no encryption configured" vs a real error
+			if !errors.Is(err, ErrNoEncryptionConfig) {
+				// Real error - propagate to prevent silent encryption bypass
+				return nil, fmt.Errorf("failed to read bucket encryption config for multipart upload: %v", err)
+			}
+			// No default encryption configured, continue without encryption
+		} else if encryptionConfig != nil && encryptionConfig.SseAlgorithm != "" {
 			glog.V(3).Infof("prepareMultipartEncryptionConfig: applying bucket-default encryption %s for bucket %s, upload %s",
 				encryptionConfig.SseAlgorithm, bucket, uploadIdString)