fix(s3): handle empty URL path in forwarded prefix signature verification (#8973)

fix(s3): handle empty URL path in forwarded prefix signature verification (#8966) When S3 is behind a reverse proxy with a forwarded prefix (e.g. /s3), requests with an empty URL path (like ListBuckets) would incorrectly get a trailing slash appended (e.g. /s3/), causing signature verification to fail because the client signs /s3 without the slash.
2026-05-23 18:21:28 +00:00 · 2026-04-07 13:22:21 -07:00
parent 79a48256f5
commit efc7f3936f
2 changed files with 8 additions and 0 deletions
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -194,6 +194,8 @@ func buildPathWithForwardedPrefix(forwardedPrefix, urlPath string) string {
 	var joined string
 	if strings.HasSuffix(forwardedPrefix, "/") && strings.HasPrefix(urlPath, "/") {
 		joined = forwardedPrefix + urlPath[1:]
+	} else if urlPath == "" {
+		joined = forwardedPrefix
 	} else if !strings.HasSuffix(forwardedPrefix, "/") && !strings.HasPrefix(urlPath, "/") {
 		joined = forwardedPrefix + "/" + urlPath
 	} else {
--- a/weed/s3api/auth_signature_v4_test.go
+++ b/weed/s3api/auth_signature_v4_test.go
@@ -139,6 +139,12 @@ func TestBuildPathWithForwardedPrefix(t *testing.T) {
 			urlPath:         "bucket/obj",
 			expected:        "/storage/bucket/obj",
 		},
+		{
+			name:            "empty urlPath with prefix",
+			forwardedPrefix: "/s3",
+			urlPath:         "",
+			expected:        "/s3",
+		},
 	}

 	for _, tt := range tests {