public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox] fix #6906: s3-client: conditionally set Content-Length header
@ 2025-10-09 11:50 Christian Ebner
  0 siblings, 0 replies; only message in thread
From: Christian Ebner @ 2025-10-09 11:50 UTC (permalink / raw)
  To: pbs-devel

As specified in RFC 9110 section 8.6 [0], a user agent should not
send a Content-Length header field when the request message does not
contain content and the method semantics do not anticipate such data.

While this does not strictly forbid setting the header, this still
causes issues since the header is signed as part of the request
signature and since some proxies [1] might drop the header when
forwarding requests, this will result in authentication issues with
the S3 API.

To be more compliant, only set the Content-Length header for POST
and PUT requests, and only set for DELETE if there is a body.
Thereby further issues with request signing are avoided for the
proxied requests.

[0] https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length
[1] https://github.com/caddyserver/caddy/issues/7295

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=6906
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
Note:
Tested by installing and setting up caddy as proxy for Ceph RGW via:
```
apt install caddy
systemctl disable --now caddy
caddy reverse-proxy --from https:://<proxy-IP>:7480 --to https://<ceph-rgw-ip>:7480 --insecure=true
```

 proxmox-s3-client/src/client.rs | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/proxmox-s3-client/src/client.rs b/proxmox-s3-client/src/client.rs
index 96a5878d..f12e9426 100644
--- a/proxmox-s3-client/src/client.rs
+++ b/proxmox-s3-client/src/client.rs
@@ -268,10 +268,18 @@ impl S3Client {
             "x-amz-content-sha256",
             HeaderValue::from_str(&payload_digest)?,
         );
-        request.headers_mut().insert(
-            header::CONTENT_LENGTH,
-            HeaderValue::from_str(&payload_len.to_string())?,
-        );
+
+        let set_content_length_header = match request.method() {
+            &Method::PUT | &Method::POST => true,
+            &Method::DELETE if payload_len > 0 => true,
+            _ => false,
+        };
+        if set_content_length_header {
+            request.headers_mut().insert(
+                header::CONTENT_LENGTH,
+                HeaderValue::from_str(&payload_len.to_string())?,
+            );
+        }
         if payload_len > 0 {
             let md5_digest = proxmox_base64::encode(*payload_md5);
             request
-- 
2.47.3



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-10-09 11:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-09 11:50 [pbs-devel] [PATCH proxmox] fix #6906: s3-client: conditionally set Content-Length header Christian Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal