ceph · dang · Jan 29, 2020 · Nov 26, 2019
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -1648,6 +1648,7 @@ namespace rgw {
   namespace auth {
     namespace s3 {
       class AWSBrowserUploadAbstractor;
+      class STSEngine;
     }
     class Completer;
   }
@@ -2056,6 +2057,7 @@ struct req_state : DoutPrefixProvider {
       friend class RGWPostObj_ObjStore_S3;
       /* Reader. */
       friend class rgw::auth::s3::AWSBrowserUploadAbstractor;
+      friend class rgw::auth::s3::STSEngine;
 
       std::string access_key;
       std::string signature;

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -2308,7 +2308,12 @@ int RGWPostObj_ObjStore_S3::get_policy()
       }
     }
 
-    part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token);
+    if (part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token)) {
+      if (s->auth.s3_postobj_creds.x_amz_security_token.size() == 0) {
+        err_msg = "Invalid token";
+        return -EINVAL;
+      }
+    }
 
     /* FIXME: this is a makeshift solution. The browser upload authentication will be
      * handled by an instance of rgw::auth::Completer spawned in Handler's authorize()
@@ -5099,7 +5104,8 @@ rgw::auth::s3::STSEngine::authenticate(
   const req_state* const s) const
 {
   if (! s->info.args.exists("X-Amz-Security-Token") &&
-      ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
+      ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") &&
+      s->auth.s3_postobj_creds.x_amz_security_token.empty()) {
     return result_t::deny();
   }