diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go index 254c2e5b1..a0d843d35 100644 --- a/cmd/bucket-handlers.go +++ b/cmd/bucket-handlers.go @@ -482,7 +482,14 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h writeErrorResponse(w, ErrServerNotInitialized, r.URL, guessIsBrowserReq(r)) return } - + if crypto.S3KMS.IsRequested(r.Header) { // SSE-KMS is not supported + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } bucket := mux.Vars(r)["bucket"] // Require Content-Length to be set in the request diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 6b6646fb6..c3497951f 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -91,6 +91,10 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) return } + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"] @@ -318,7 +322,10 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r)) return } - + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"] @@ -491,7 +498,10 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re writeErrorResponseHeadersOnly(w, ErrBadRequest) return } - + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrBadRequest, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"] @@ -688,7 +698,10 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported return } - + if !objectAPI.IsEncryptionSupported() && (hasServerSideEncryptionHeader(r.Header) || crypto.SSECopy.IsRequested(r.Header)) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) dstBucket := vars["bucket"] dstObject := vars["object"] @@ -1080,7 +1093,10 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported return } - + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"] @@ -1346,7 +1362,10 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported return } - + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"] @@ -1446,6 +1465,10 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported return } + if !objectAPI.IsEncryptionSupported() && (hasServerSideEncryptionHeader(r.Header) || crypto.SSECopy.IsRequested(r.Header)) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) dstBucket := vars["bucket"] @@ -1706,7 +1729,10 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported return } - + if !objectAPI.IsEncryptionSupported() && hasServerSideEncryptionHeader(r.Header) { + writeErrorResponse(w, ErrNotImplemented, r.URL, guessIsBrowserReq(r)) + return + } vars := mux.Vars(r) bucket := vars["bucket"] object := vars["object"]