解决PostObject因policy未限制额外表单域导致的报错0006-00000228-对象存储-阿里云

备案控制台

输入文档关键字查找

问题描述

使用PostObject接口时，如果额外传入的表单域未在policy中进行限制，会出现如下报错：

<?xml version="1.0" encoding="UTF-8"?> 
<Error> 
    <Code>AccessDenied</Code> 
    <Message>Invalid according to Policy: Extra input fields: x-oss-credential</Message> 
    <RequestId>69082238*********</RequestId> 
    <HostId>example-bucket.oss-cn-hangzhou.aliyuncs.com</HostId> 
    <EC>0006-00000228</EC> 
    <RecommendDoc>https://api.aliyun.com/troubleshoot?q=0006-00000228</RecommendDoc> 
</Error>

问题原因

PostObject的V4签名有4个必传的表单域，且必须在policy中进行限制。如果实际请求中传入了以下四个表单域，但未在policy中进行限制会出现报错：Invalid according to Policy: Extra input fields: x-oss-xxxx。

问题示例

以下请求体中传入了x-oss-credential、x-oss-date、x-oss-signature-version和x-oss-signature四个表单域，但policy中未进行相应限制。

POST / HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Content-Length: 6443500495
Date: Sat, 18 Feb 2023 05:17:02 GMT
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryW0DET1iaBMeAOBg3
Host: example-bucket.oss-cn-hangzhou.aliyuncs.com
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="key"
big.img
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="x-oss-date"
abc
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="policy"
eyJleHBpcmF0aW9uIjoiMjAyMy0wMi0xOFQxMzoxOTowMC4wMDBaIiwiY29uZGl0aW9ucyI6W1siY29udGVudC1sZW5ndGgtcmFuZ2UiLDAsMTA0ODU3NjAwMF1dfQ==
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="x-oss-credential"
LTAI****************
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="success_action_status"
200
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="x-oss-signature-version"
OSS4-HMAC-SHA256
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="x-oss-signature"
miAoLVohS5*****WEXyC3wVecaQ=
------WebKitFormBoundaryW0DET1iaBMeAOBg3
Content-Disposition: form-data; name="file"; filename="big.img"
Content-Type: application/octet-stream
***
------WebKitFormBoundaryW0DET1iaBMeAOBg3--

解决方案

在policy中对四个必传参数进行限制，使用Base64编码后再传入请求体中的policy表单域。

{
    "expiration": "2025-11-10T21:17:16.000Z",
    "conditions": [
        {
            "bucket": "example-bucket"
        },
        {
            "x-oss-signature-version": "OSS4-HMAC-SHA256"
        },
        {
            "x-oss-credential": "LTAI****************/20251110/cn-hangzhou/oss/aliyun_v4_request"
        },
        {
            "x-oss-date": "20251110T121716Z"
        }
    ]
}

相关文档

关于Post Policy的更多信息，请参见附录：Post Policy。
关于Web端表单直传OSS的示例，请参见JavaScript客户端签名直传。
关于调用PostObject接口的常见错误及解决方法，请参见Post Object错误及排查。

上一篇：0006-00000227下一篇：07-CALLBACK

该文章对您有帮助吗？