From 5d356715765112bcc0c43270c4bc2b7630aed50b Mon Sep 17 00:00:00 2001
From: Shilpa Jagannath <smanjara@redhat.com>
Date: Tue, 27 Jan 2026 01:53:47 -0500
Subject: [PATCH] rgw/auth: a forwarded CreateBucket request in case of
 multisite has an empty payload hash computed for UNSIGNED-PAYLOAD. use that
 hash for the header 'x-amz-content-sha256' in AWSSignerV4::prepare()

Signed-off-by: Shilpa Jagannath <smanjara@redhat.com>
---
 src/rgw/rgw_rest_s3.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 7aef4284ce9..909246c221f 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6341,10 +6341,17 @@ AWSSignerV4::prepare(const DoutPrefixProvider *dpp,
     content_hash = rgw::auth::s3::calc_v4_payload_hash(opt_content->to_str());
     extra_headers["x-amz-content-sha256"] = content_hash;
   } else {
+    // check if the header was already set (e.g. from a forwarded request)
+    const char* existing_hash = info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (existing_hash) {
+      // use existing header value
+      extra_headers["x-amz-content-sha256"] = existing_hash;
+    } else {
     /* Some S3-compatible services require x-amz-content-sha256 header to always
      * be present and included in the signature, even for unsigned payload.
      * AWS S3 specification states that this header is required for all requests. */
     extra_headers["x-amz-content-sha256"] = AWS4_UNSIGNED_PAYLOAD_HASH;
+    }
   }
 
   /* craft canonical headers */
-- 
2.47.3