Skip to content

ARSN-551: don't require x-amz-content-sha256 header to be signed #2590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bert-e merged 2 commits into from
Feb 11, 2026
Merged

ARSN-551: don't require x-amz-content-sha256 header to be signed #2590

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
626c579
ARSN-551: don't require x-amz-content-sha256 header to be signed
leif-scality Feb 9, 2026
af610f2
ARSN-551: bump package.json to 8.2.45
leif-scality Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions lib/auth/v4/validateInputs.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,12 @@ export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Head
}
const headers = Object.keys(allHeaders);
for (let i = 0; i < headers.length; i++) {
// We skip x-amz-content-sha256 because in practice AWS does not require that it be present
// in the list of signed headers.
if (headers[i] === 'x-amz-content-sha256') {
continue;
}

if ((headers[i].startsWith('x-amz-')
|| headers[i].startsWith('x-scal-'))
&& signedHeadersList.indexOf(headers[i]) === -1) {
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"engines": {
"node": ">=20"
},
"version": "8.2.44",
"version": "8.2.45",
"description": "Common utilities for the S3 project components",
"main": "build/index.js",
"repository": {
Expand Down
18 changes: 18 additions & 0 deletions tests/unit/auth/v4/headerAuthCheck.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,24 @@ describe('v4 headerAuthCheck', () => {
done();
});

it('should NOT return error if x-amz-content-sha256 is not included ' +
'as signed header but is in request', done => {
// x-amz-content-sha256 is an exception - AWS does not require it
// to be in the signed headers list
const clock = fakeTimers.install({ now: 1454962445000 });
const alteredRequest = createAlteredRequest({
authorization: 'AWS4-HMAC-SHA256 Credential=accessKey1/20160208' +
'/us-east-1/s3/aws4_request, SignedHeaders=host;' +
'x-amz-date, Signature=abed924c06abf8772c670064d22eacd6ccb85c06' +
'befa15f4a789b0bae19307bc',
'x-amz-content-sha256': xAMZcontentSha256 },
'headers', request, headers);
const res = headerAuthCheck(alteredRequest, log);
clock.uninstall();
assert.strictEqual(res.err, null);
done();
});

it('should return error if an x-scal header is not included as signed ' +
'header but is in request', done => {
const alteredRequest = createAlteredRequest({
Expand Down
Loading