Do not reply on ignoredHeaders for server, rely on SignedHeaders sent as part of Authorization header

This commit is contained in:
Harshavardhana 2015-07-10 17:21:53 -07:00
parent 538572ca91
commit 97d4a27c7e
3 changed files with 29 additions and 18 deletions

View File

@ -102,13 +102,10 @@ func urlEncodeName(name string) (string, error) {
} }
// getCanonicalHeaders generate a list of request headers with their values // getCanonicalHeaders generate a list of request headers with their values
func (r *Signature) getCanonicalHeaders() string { func (r *Signature) getCanonicalHeaders(signedHeaders map[string][]string) string {
var headers []string var headers []string
vals := make(map[string][]string) vals := make(map[string][]string)
for k, vv := range r.Request.Header { for k, vv := range signedHeaders {
if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {
continue // ignored header
}
headers = append(headers, strings.ToLower(k)) headers = append(headers, strings.ToLower(k))
vals[strings.ToLower(k)] = vv vals[strings.ToLower(k)] = vv
} }
@ -137,12 +134,9 @@ func (r *Signature) getCanonicalHeaders() string {
} }
// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names // getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
func (r *Signature) getSignedHeaders() string { func (r *Signature) getSignedHeaders(signedHeaders map[string][]string) string {
var headers []string var headers []string
for k := range r.Request.Header { for k := range signedHeaders {
if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {
continue // ignored header
}
headers = append(headers, strings.ToLower(k)) headers = append(headers, strings.ToLower(k))
} }
headers = append(headers, "host") headers = append(headers, "host")
@ -150,6 +144,22 @@ func (r *Signature) getSignedHeaders() string {
return strings.Join(headers, ";") return strings.Join(headers, ";")
} }
// extractSignedHeaders extract signed headers from Authorization header
func (r *Signature) extractSignedHeaders() map[string][]string {
authFields := strings.Split(strings.TrimSpace(r.AuthHeader), ",")
extractedHeaders := strings.Split(strings.Split(strings.TrimSpace(authFields[1]), "=")[1], ";")
extractedSignedHeadersMap := make(map[string][]string)
for _, header := range extractedHeaders {
val, ok := r.Request.Header[http.CanonicalHeaderKey(header)]
if !ok {
// if not found continue, we will fail later
continue
}
extractedSignedHeadersMap[header] = val
}
return extractedSignedHeadersMap
}
// getCanonicalRequest generate a canonical request of style // getCanonicalRequest generate a canonical request of style
// //
// canonicalRequest = // canonicalRequest =
@ -169,9 +179,9 @@ func (r *Signature) getCanonicalRequest() string {
r.Request.Method, r.Request.Method,
encodedPath, encodedPath,
r.Request.URL.RawQuery, r.Request.URL.RawQuery,
r.getCanonicalHeaders(), r.getCanonicalHeaders(r.extractSignedHeaders()),
r.getSignedHeaders(), r.getSignedHeaders(r.extractSignedHeaders()),
r.Request.Header.Get("x-amz-content-sha256"), r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-content-sha256")),
}, "\n") }, "\n")
return canonicalRequest return canonicalRequest
} }
@ -214,11 +224,11 @@ func (r *Signature) getSignature(signingKey []byte, stringToSign string) string
// returns true if matches, false other wise if error is not nil then it is always false // returns true if matches, false other wise if error is not nil then it is always false
func (r *Signature) DoesSignatureMatch(hashedPayload string) (bool, error) { func (r *Signature) DoesSignatureMatch(hashedPayload string) (bool, error) {
// set new calulated payload // set new calulated payload
r.Request.Header.Set("x-amz-content-sha256", hashedPayload) r.Request.Header.Set("X-Amz-Content-Sha256", hashedPayload)
// Add date if not present // Add date if not present
var date string var date string
if date = r.Request.Header.Get("x-amz-date"); date == "" { if date = r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-date")); date == "" {
if date = r.Request.Header.Get("Date"); date == "" { if date = r.Request.Header.Get("Date"); date == "" {
return false, iodine.New(MissingDateHeader{}, nil) return false, iodine.New(MissingDateHeader{}, nil)
} }

View File

@ -405,7 +405,8 @@ func (api Minio) HeadBucketHandler(w http.ResponseWriter, req *http.Request) {
case nil: case nil:
writeSuccessResponse(w, acceptsContentType) writeSuccessResponse(w, acceptsContentType)
case donut.SignatureDoesNotMatch: case donut.SignatureDoesNotMatch:
writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path) error := getErrorCode(SignatureDoesNotMatch)
w.WriteHeader(error.HTTPStatusCode)
case donut.BucketNotFound: case donut.BucketNotFound:
error := getErrorCode(NoSuchBucket) error := getErrorCode(NoSuchBucket)
w.WriteHeader(error.HTTPStatusCode) w.WriteHeader(error.HTTPStatusCode)

View File

@ -45,7 +45,7 @@ const (
) )
func parseDate(req *http.Request) (time.Time, error) { func parseDate(req *http.Request) (time.Time, error) {
amzDate := req.Header.Get("x-amz-date") amzDate := req.Header.Get(http.CanonicalHeaderKey("x-amz-date"))
switch { switch {
case amzDate != "": case amzDate != "":
if _, err := time.Parse(time.RFC1123, amzDate); err == nil { if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
@ -97,7 +97,7 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
acceptsContentType := getContentType(r) acceptsContentType := getContentType(r)
// Verify if date headers are set, if not reject the request // Verify if date headers are set, if not reject the request
if r.Header.Get("Authorization") != "" { if r.Header.Get("Authorization") != "" {
if r.Header.Get("x-amz-date") == "" && r.Header.Get("Date") == "" { if r.Header.Get(http.CanonicalHeaderKey("x-amz-date")) == "" && r.Header.Get("Date") == "" {
// there is no way to knowing if this is a valid request, could be a attack reject such clients // there is no way to knowing if this is a valid request, could be a attack reject such clients
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path) writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
return return