diff --git a/api/handler/put.go b/api/handler/put.go index bd7b3886..72794c6e 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -7,6 +7,7 @@ import ( "encoding/hex" "encoding/json" "encoding/xml" + stderrors "errors" "fmt" "io" "net" @@ -628,11 +629,21 @@ func checkPostPolicy(r *http.Request, reqInfo *middleware.ReqInfo, metadata map[ policy.empty = false } + if r.MultipartForm == nil { + return nil, stderrors.New("empty multipart form") + } + for key, v := range r.MultipartForm.Value { - value := v[0] if key == "file" || key == "policy" || key == "x-amz-signature" || strings.HasPrefix(key, "x-ignore-") { continue } + + if len(v) != 1 { + return nil, fmt.Errorf("empty multipart value for key '%s'", key) + } + + value := v[0] + if err := policy.CheckField(key, value); err != nil { return nil, fmt.Errorf("'%s' form field doesn't match the policy: %w", key, err) }