// Session tokens are not allowed in STS AssumeRole requests.
	if getSessionToken(r) != "" {
		return auth.Credentials{}, ErrAccessDenied
	}

	return user, ErrNone
}

func parseForm(r *http.Request) error {
	if err := r.ParseForm(); err != nil {
		return err
	}
	for k, v := range r.PostForm {
		if _, ok := r.Form[k]; !ok {
			r.Form[k] = v
		}
	}
	return nil
}

		}

		// Do the same for the headers.
		for key, value := range testCase.headers {
			req.Header.Set(key, value)
		}

		// parse form.
		req.ParseForm()

		// Check if it matches!
		err := doesPresignedSignatureMatch(payloadSHA256, req, testCase.region, serviceS3)
		if err != testCase.expected {

func (s *storageRESTServer) IsValid(w http.ResponseWriter, r *http.Request) bool {
	if !s.IsAuthValid(w, r) {
		return false
	}

	if err := r.ParseForm(); err != nil {
		s.writeErrorResponse(w, err)
		return false
	}

	diskID := r.Form.Get(storageRESTDiskID)
	if diskID == "" {
		// Request sent empty disk-id, we allow the request

		x := r.URL.Query().Get("x")
		if expectParseFormErr {
			if err := r.ParseForm(); err == nil || !strings.Contains(err.Error(), "semicolon") {
				t.Errorf("expected error mentioning semicolons from ParseForm, got %v", err)
			}
		} else {
			if err := r.ParseForm(); err != nil {
				t.Errorf("expected no error from ParseForm, got %v", err)
			}
		}
		if got := r.FormValue("x"); x != got {

// behavior doesn't match that of many proxies, and the mismatch can lead to
// security issues.
//
// AllowQuerySemicolons should be invoked before [Request.ParseForm] is called.
func AllowQuerySemicolons(h Handler) Handler {
	return HandlerFunc(func(w ResponseWriter, r *Request) {
		if strings.Contains(r.URL.RawQuery, ";") {
			r2 := new(Request)
			*r2 = *r