mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
Do not reply on ignoredHeaders for server, rely on SignedHeaders sent as part of Authorization header
This commit is contained in:
parent
538572ca91
commit
97d4a27c7e
@ -102,13 +102,10 @@ func urlEncodeName(name string) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// getCanonicalHeaders generate a list of request headers with their values
|
// getCanonicalHeaders generate a list of request headers with their values
|
||||||
func (r *Signature) getCanonicalHeaders() string {
|
func (r *Signature) getCanonicalHeaders(signedHeaders map[string][]string) string {
|
||||||
var headers []string
|
var headers []string
|
||||||
vals := make(map[string][]string)
|
vals := make(map[string][]string)
|
||||||
for k, vv := range r.Request.Header {
|
for k, vv := range signedHeaders {
|
||||||
if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {
|
|
||||||
continue // ignored header
|
|
||||||
}
|
|
||||||
headers = append(headers, strings.ToLower(k))
|
headers = append(headers, strings.ToLower(k))
|
||||||
vals[strings.ToLower(k)] = vv
|
vals[strings.ToLower(k)] = vv
|
||||||
}
|
}
|
||||||
@ -137,12 +134,9 @@ func (r *Signature) getCanonicalHeaders() string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
|
// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
|
||||||
func (r *Signature) getSignedHeaders() string {
|
func (r *Signature) getSignedHeaders(signedHeaders map[string][]string) string {
|
||||||
var headers []string
|
var headers []string
|
||||||
for k := range r.Request.Header {
|
for k := range signedHeaders {
|
||||||
if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {
|
|
||||||
continue // ignored header
|
|
||||||
}
|
|
||||||
headers = append(headers, strings.ToLower(k))
|
headers = append(headers, strings.ToLower(k))
|
||||||
}
|
}
|
||||||
headers = append(headers, "host")
|
headers = append(headers, "host")
|
||||||
@ -150,6 +144,22 @@ func (r *Signature) getSignedHeaders() string {
|
|||||||
return strings.Join(headers, ";")
|
return strings.Join(headers, ";")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// extractSignedHeaders extract signed headers from Authorization header
|
||||||
|
func (r *Signature) extractSignedHeaders() map[string][]string {
|
||||||
|
authFields := strings.Split(strings.TrimSpace(r.AuthHeader), ",")
|
||||||
|
extractedHeaders := strings.Split(strings.Split(strings.TrimSpace(authFields[1]), "=")[1], ";")
|
||||||
|
extractedSignedHeadersMap := make(map[string][]string)
|
||||||
|
for _, header := range extractedHeaders {
|
||||||
|
val, ok := r.Request.Header[http.CanonicalHeaderKey(header)]
|
||||||
|
if !ok {
|
||||||
|
// if not found continue, we will fail later
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
extractedSignedHeadersMap[header] = val
|
||||||
|
}
|
||||||
|
return extractedSignedHeadersMap
|
||||||
|
}
|
||||||
|
|
||||||
// getCanonicalRequest generate a canonical request of style
|
// getCanonicalRequest generate a canonical request of style
|
||||||
//
|
//
|
||||||
// canonicalRequest =
|
// canonicalRequest =
|
||||||
@ -169,9 +179,9 @@ func (r *Signature) getCanonicalRequest() string {
|
|||||||
r.Request.Method,
|
r.Request.Method,
|
||||||
encodedPath,
|
encodedPath,
|
||||||
r.Request.URL.RawQuery,
|
r.Request.URL.RawQuery,
|
||||||
r.getCanonicalHeaders(),
|
r.getCanonicalHeaders(r.extractSignedHeaders()),
|
||||||
r.getSignedHeaders(),
|
r.getSignedHeaders(r.extractSignedHeaders()),
|
||||||
r.Request.Header.Get("x-amz-content-sha256"),
|
r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-content-sha256")),
|
||||||
}, "\n")
|
}, "\n")
|
||||||
return canonicalRequest
|
return canonicalRequest
|
||||||
}
|
}
|
||||||
@ -214,11 +224,11 @@ func (r *Signature) getSignature(signingKey []byte, stringToSign string) string
|
|||||||
// returns true if matches, false other wise if error is not nil then it is always false
|
// returns true if matches, false other wise if error is not nil then it is always false
|
||||||
func (r *Signature) DoesSignatureMatch(hashedPayload string) (bool, error) {
|
func (r *Signature) DoesSignatureMatch(hashedPayload string) (bool, error) {
|
||||||
// set new calulated payload
|
// set new calulated payload
|
||||||
r.Request.Header.Set("x-amz-content-sha256", hashedPayload)
|
r.Request.Header.Set("X-Amz-Content-Sha256", hashedPayload)
|
||||||
|
|
||||||
// Add date if not present
|
// Add date if not present
|
||||||
var date string
|
var date string
|
||||||
if date = r.Request.Header.Get("x-amz-date"); date == "" {
|
if date = r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-date")); date == "" {
|
||||||
if date = r.Request.Header.Get("Date"); date == "" {
|
if date = r.Request.Header.Get("Date"); date == "" {
|
||||||
return false, iodine.New(MissingDateHeader{}, nil)
|
return false, iodine.New(MissingDateHeader{}, nil)
|
||||||
}
|
}
|
||||||
|
@ -405,7 +405,8 @@ func (api Minio) HeadBucketHandler(w http.ResponseWriter, req *http.Request) {
|
|||||||
case nil:
|
case nil:
|
||||||
writeSuccessResponse(w, acceptsContentType)
|
writeSuccessResponse(w, acceptsContentType)
|
||||||
case donut.SignatureDoesNotMatch:
|
case donut.SignatureDoesNotMatch:
|
||||||
writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
|
error := getErrorCode(SignatureDoesNotMatch)
|
||||||
|
w.WriteHeader(error.HTTPStatusCode)
|
||||||
case donut.BucketNotFound:
|
case donut.BucketNotFound:
|
||||||
error := getErrorCode(NoSuchBucket)
|
error := getErrorCode(NoSuchBucket)
|
||||||
w.WriteHeader(error.HTTPStatusCode)
|
w.WriteHeader(error.HTTPStatusCode)
|
||||||
|
@ -45,7 +45,7 @@ const (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func parseDate(req *http.Request) (time.Time, error) {
|
func parseDate(req *http.Request) (time.Time, error) {
|
||||||
amzDate := req.Header.Get("x-amz-date")
|
amzDate := req.Header.Get(http.CanonicalHeaderKey("x-amz-date"))
|
||||||
switch {
|
switch {
|
||||||
case amzDate != "":
|
case amzDate != "":
|
||||||
if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
|
if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
|
||||||
@ -97,7 +97,7 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
acceptsContentType := getContentType(r)
|
acceptsContentType := getContentType(r)
|
||||||
// Verify if date headers are set, if not reject the request
|
// Verify if date headers are set, if not reject the request
|
||||||
if r.Header.Get("Authorization") != "" {
|
if r.Header.Get("Authorization") != "" {
|
||||||
if r.Header.Get("x-amz-date") == "" && r.Header.Get("Date") == "" {
|
if r.Header.Get(http.CanonicalHeaderKey("x-amz-date")) == "" && r.Header.Get("Date") == "" {
|
||||||
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
||||||
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
|
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user