mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
presign: Verify query params for presign individually
Incoming request params in presigned can come in different order for different implementations. Rather than verifying a full string we should verify individual params instead. This patch fixes an incompatibility issue with AWS SDK Java. Fixes #1059 - Thanks to @notnoopci for reporting this problem.
This commit is contained in:
parent
ed69c58490
commit
2469c9c591
@ -308,12 +308,27 @@ func (r *Signature) DoesPresignedSignatureMatch() (bool, *probe.Error) {
|
|||||||
query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
|
query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
|
||||||
query.Set("X-Amz-SignedHeaders", r.getSignedHeaders(r.extractSignedHeaders()))
|
query.Set("X-Amz-SignedHeaders", r.getSignedHeaders(r.extractSignedHeaders()))
|
||||||
query.Set("X-Amz-Credential", r.AccessKeyID+"/"+r.getScope(t))
|
query.Set("X-Amz-Credential", r.AccessKeyID+"/"+r.getScope(t))
|
||||||
|
|
||||||
encodedQuery := query.Encode()
|
encodedQuery := query.Encode()
|
||||||
newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
|
|
||||||
encodedQuery += "&X-Amz-Signature=" + newSignature
|
|
||||||
|
|
||||||
if encodedQuery != r.Request.URL.RawQuery {
|
// Verify if date query is same.
|
||||||
|
if r.Request.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
// Verify if expires query is same.
|
||||||
|
if r.Request.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
// Verify if signed headers query is same.
|
||||||
|
if r.Request.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
// Verify if credential query is same.
|
||||||
|
if r.Request.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
// Verify finally if signature is same.
|
||||||
|
newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
|
||||||
|
if r.Request.URL.Query().Get("X-Amz-Signature") != newSignature {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
return true, nil
|
return true, nil
|
||||||
|
Loading…
x
Reference in New Issue
Block a user