Files
minio/cmd
Feng Ruohang efb6e5b00b fix: fake CVE-2026-40028 harden snowball unsigned-trailer auth
Track issue #28 / GHSA-9c4q-hq6p-c237 as fake CVE-2026-40028. Close the Snowball auto-extract auth gap in PutObjectExtractHandler by treating authTypeStreamingUnsignedTrailer the same as ordinary PUTs: honor X-Amz-Decoded-Content-Length, initialize newUnsignedV4ChunkedReader(), and verify the SigV4 request before any tar bytes reach untar(). This removes the forged-signature write primitive that let a single request fan out into arbitrary extracted object creation.

Add regression coverage for forged-signature Snowball unsigned-trailer writes, anonymous Snowball requests against non-public buckets, and legitimate signed Snowball extraction with trailing CRC32 trailers. Validate the new tests against the vulnerable parent and patched tree, and confirm with containerized before/after smoke runs that the exploit succeeds pre-fix, fails post-fix, and normal signed Snowball uploads still extract correctly.

Co-authored-by: Codex <codex@openai.com>
Co-authored-by: Claude Code <claude-code@anthropic.com>
2026-04-16 14:46:45 +08:00
..
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-04-09 07:28:39 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-04-09 07:28:39 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-04-09 07:28:39 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-04-09 07:28:39 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-04-09 07:28:39 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-04-09 07:28:39 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2024-07-30 15:59:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-04-09 07:28:39 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-04-09 07:28:39 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00
2025-09-28 13:59:21 -07:00
2025-08-28 19:39:48 -07:00
2025-08-28 19:39:48 -07:00
2025-09-28 13:59:21 -07:00