From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 552C71FF165
	for <inbox@lore.proxmox.com>; Thu,  9 Oct 2025 13:50:45 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 787921DCDD;
	Thu,  9 Oct 2025 13:50:51 +0200 (CEST)
From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Thu,  9 Oct 2025 13:50:03 +0200
Message-ID: <20251009115003.443451-1-c.ebner@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1760010585093
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.043 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox] fix #6906: s3-client: conditionally set
 Content-Length header
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

As specified in RFC 9110 section 8.6 [0], a user agent should not
send a Content-Length header field when the request message does not
contain content and the method semantics do not anticipate such data.

While this does not strictly forbid setting the header, this still
causes issues since the header is signed as part of the request
signature and since some proxies [1] might drop the header when
forwarding requests, this will result in authentication issues with
the S3 API.

To be more compliant, only set the Content-Length header for POST
and PUT requests, and only set for DELETE if there is a body.
Thereby further issues with request signing are avoided for the
proxied requests.

[0] https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length
[1] https://github.com/caddyserver/caddy/issues/7295

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=6906
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
Note:
Tested by installing and setting up caddy as proxy for Ceph RGW via:
```
apt install caddy
systemctl disable --now caddy
caddy reverse-proxy --from https:://<proxy-IP>:7480 --to https://<ceph-rgw-ip>:7480 --insecure=true
```

 proxmox-s3-client/src/client.rs | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/proxmox-s3-client/src/client.rs b/proxmox-s3-client/src/client.rs
index 96a5878d..f12e9426 100644
--- a/proxmox-s3-client/src/client.rs
+++ b/proxmox-s3-client/src/client.rs
@@ -268,10 +268,18 @@ impl S3Client {
             "x-amz-content-sha256",
             HeaderValue::from_str(&payload_digest)?,
         );
-        request.headers_mut().insert(
-            header::CONTENT_LENGTH,
-            HeaderValue::from_str(&payload_len.to_string())?,
-        );
+
+        let set_content_length_header = match request.method() {
+            &Method::PUT | &Method::POST => true,
+            &Method::DELETE if payload_len > 0 => true,
+            _ => false,
+        };
+        if set_content_length_header {
+            request.headers_mut().insert(
+                header::CONTENT_LENGTH,
+                HeaderValue::from_str(&payload_len.to_string())?,
+            );
+        }
         if payload_len > 0 {
             let md5_digest = proxmox_base64::encode(*payload_md5);
             request
-- 
2.47.3



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel