From efc7f3936f842eeaa03e615f4c765fa042bdc0b7 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 7 Apr 2026 13:22:21 -0700 Subject: [PATCH] fix(s3): handle empty URL path in forwarded prefix signature verification (#8973) fix(s3): handle empty URL path in forwarded prefix signature verification (#8966) When S3 is behind a reverse proxy with a forwarded prefix (e.g. /s3), requests with an empty URL path (like ListBuckets) would incorrectly get a trailing slash appended (e.g. /s3/), causing signature verification to fail because the client signs /s3 without the slash. --- weed/s3api/auth_signature_v4.go | 2 ++ weed/s3api/auth_signature_v4_test.go | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go index c52cb2dac..cf8860e9a 100644 --- a/weed/s3api/auth_signature_v4.go +++ b/weed/s3api/auth_signature_v4.go @@ -194,6 +194,8 @@ func buildPathWithForwardedPrefix(forwardedPrefix, urlPath string) string { var joined string if strings.HasSuffix(forwardedPrefix, "/") && strings.HasPrefix(urlPath, "/") { joined = forwardedPrefix + urlPath[1:] + } else if urlPath == "" { + joined = forwardedPrefix } else if !strings.HasSuffix(forwardedPrefix, "/") && !strings.HasPrefix(urlPath, "/") { joined = forwardedPrefix + "/" + urlPath } else { diff --git a/weed/s3api/auth_signature_v4_test.go b/weed/s3api/auth_signature_v4_test.go index 0bc704faf..a5f66e558 100644 --- a/weed/s3api/auth_signature_v4_test.go +++ b/weed/s3api/auth_signature_v4_test.go @@ -139,6 +139,12 @@ func TestBuildPathWithForwardedPrefix(t *testing.T) { urlPath: "bucket/obj", expected: "/storage/bucket/obj", }, + { + name: "empty urlPath with prefix", + forwardedPrefix: "/s3", + urlPath: "", + expected: "/s3", + }, } for _, tt := range tests {