From ebaeaa68927a6c6690321deb6e565b807336c18f Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Thu, 20 Nov 2025 22:19:12 -0800
Subject: [PATCH] Update s3api_bucket_handlers.go

---
 weed/s3api/s3api_bucket_handlers.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 35525c45f..57d497dc6 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -62,9 +62,9 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	identityId := ""
 	if identity != nil {
 		identityId = identity.Name
-	} else {
-		identityId = r.Header.Get(s3_constants.AmzIdentityId)
 	}
+	// Note: For unauthenticated requests, identityId remains empty.
+	// We never read from request headers to prevent reflecting unvalidated user input.
 
 	var listBuckets ListAllMyBucketsList
 	for _, entry := range entries {