mirror of
https://github.com/pgsty/minio.git
synced 2026-07-15 16:30:29 +03:00
efb6e5b00b03e189b44c0349efcee07d440ec428
Track issue #28 / GHSA-9c4q-hq6p-c237 as fake CVE-2026-40028. Close the Snowball auto-extract auth gap in PutObjectExtractHandler by treating authTypeStreamingUnsignedTrailer the same as ordinary PUTs: honor X-Amz-Decoded-Content-Length, initialize newUnsignedV4ChunkedReader(), and verify the SigV4 request before any tar bytes reach untar(). This removes the forged-signature write primitive that let a single request fan out into arbitrary extracted object creation. Add regression coverage for forged-signature Snowball unsigned-trailer writes, anonymous Snowball requests against non-public buckets, and legitimate signed Snowball extraction with trailing CRC32 trailers. Validate the new tests against the vulnerable parent and patched tree, and confirm with containerized before/after smoke runs that the exploit succeeds pre-fix, fails post-fix, and normal signed Snowball uploads still extract correctly. Co-authored-by: Codex <codex@openai.com> Co-authored-by: Claude Code <claude-code@anthropic.com>
Silo (Community maintained fork of MinIO)
Important
This is a community-maintained fork of minio/minio, maintained by Pigsty. This project is NOT affiliated with, endorsed by, or sponsored by MinIO, Inc. "MinIO" is a trademark of MinIO, Inc., used here solely to identify the upstream project.
Changes from upstream are minimal:
- Restored the embedded management console version reference
- Updated documentation links and Go module paths to point to this repository
Distributed under the original GNU AGPLv3 license.
Docker Hub: https://hub.docker.com/r/pgsty/minio / https://hub.docker.com/r/pgsty/mc
Client Repo: pgsty/mc CLI.
Console: georgmangold/console, a community-maintained fork of restored console.
Ansible Deployment: https://pigsty.io/docs/minio
APT/YUM repo for minio and mcli binary: https://pigsty.io/docs/infra
Description
Languages
Go
99%
Shell
0.8%
Makefile
0.1%