mirror of
https://github.com/pgsty/minio.git
synced 2026-03-13 06:35:34 +01:00
eb6871ecd9
STS tokens can be obtained by using local APIs once the remote JWT token is presented, current code was not validating the incoming token in the first place and was incorrectly making a network operation using that token. For the most part this always works without issues, but under adversarial scenarios it exposes client to hand-craft a request that can reach internal services without authentication. This kind of proxying should be avoided before validating the incoming token.
76 KiB
76 KiB