From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox] fix #6906: s3-client: conditionally set Content-Length header
Date: Thu, 9 Oct 2025 13:50:03 +0200 [thread overview]
Message-ID: <20251009115003.443451-1-c.ebner@proxmox.com> (raw)
As specified in RFC 9110 section 8.6 [0], a user agent should not
send a Content-Length header field when the request message does not
contain content and the method semantics do not anticipate such data.
While this does not strictly forbid setting the header, this still
causes issues since the header is signed as part of the request
signature and since some proxies [1] might drop the header when
forwarding requests, this will result in authentication issues with
the S3 API.
To be more compliant, only set the Content-Length header for POST
and PUT requests, and only set for DELETE if there is a body.
Thereby further issues with request signing are avoided for the
proxied requests.
[0] https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length
[1] https://github.com/caddyserver/caddy/issues/7295
Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=6906
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
Note:
Tested by installing and setting up caddy as proxy for Ceph RGW via:
```
apt install caddy
systemctl disable --now caddy
caddy reverse-proxy --from https:://<proxy-IP>:7480 --to https://<ceph-rgw-ip>:7480 --insecure=true
```
proxmox-s3-client/src/client.rs | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/proxmox-s3-client/src/client.rs b/proxmox-s3-client/src/client.rs
index 96a5878d..f12e9426 100644
--- a/proxmox-s3-client/src/client.rs
+++ b/proxmox-s3-client/src/client.rs
@@ -268,10 +268,18 @@ impl S3Client {
"x-amz-content-sha256",
HeaderValue::from_str(&payload_digest)?,
);
- request.headers_mut().insert(
- header::CONTENT_LENGTH,
- HeaderValue::from_str(&payload_len.to_string())?,
- );
+
+ let set_content_length_header = match request.method() {
+ &Method::PUT | &Method::POST => true,
+ &Method::DELETE if payload_len > 0 => true,
+ _ => false,
+ };
+ if set_content_length_header {
+ request.headers_mut().insert(
+ header::CONTENT_LENGTH,
+ HeaderValue::from_str(&payload_len.to_string())?,
+ );
+ }
if payload_len > 0 {
let md5_digest = proxmox_base64::encode(*payload_md5);
request
--
2.47.3
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
reply other threads:[~2025-10-09 11:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251009115003.443451-1-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox