mirror of
https://github.com/pgsty/minio.git
synced 2026-07-15 16:30:29 +03:00
f444b6f37e4494aa043b8786214c7c2c5703e5ff
Track issue #27 / GHSA-hv4r-mvr4-25vw as fake CVE-2026-40027. Close the unsigned-trailer trust flaw that let query-string credentials skip signature verification in PutObject and PutObjectPart by moving presigned rejection and SigV4 verification into newUnsignedV4ChunkedReader(), so authTypeStreamingUnsignedTrailer can no longer silently downgrade query auth into an anonymous body read. Add focused regression coverage for forged query-string-only unsigned-trailer PUTs and multipart uploads, mixed header/query auth rejection, and anonymous unsigned-trailer writes that remain allowed only when bucket policy explicitly permits them. Validate the new tests against the vulnerable parent and confirm with before/after live-server runs that presigned unsigned-trailer attacks are rejected while legitimate header-authenticated and policy-driven flows still work. Co-authored-by: Codex <codex@openai.com> Co-authored-by: Claude Code <claude-code@anthropic.com>
Silo (Community maintained fork of MinIO)
Important
This is a community-maintained fork of minio/minio, maintained by Pigsty. This project is NOT affiliated with, endorsed by, or sponsored by MinIO, Inc. "MinIO" is a trademark of MinIO, Inc., used here solely to identify the upstream project.
Changes from upstream are minimal:
- Restored the embedded management console version reference
- Updated documentation links and Go module paths to point to this repository
Distributed under the original GNU AGPLv3 license.
Docker Hub: https://hub.docker.com/r/pgsty/minio / https://hub.docker.com/r/pgsty/mc
Client Repo: pgsty/mc CLI.
Console: georgmangold/console, a community-maintained fork of restored console.
Ansible Deployment: https://pigsty.io/docs/minio
APT/YUM repo for minio and mcli binary: https://pigsty.io/docs/infra
Description
Languages
Go
99%
Shell
0.8%
Makefile
0.1%