MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

Return authHeaderMalformed for an incorrect region in signature (#5618)

Browse Source
This commit is contained in:
Harshavardhana
2018-03-09 18:18:57 -08:00
committed by kannappanr
parent 7aaf01eb74
commit d90985b6d8
4 changed files with 46 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
cmd/signature-v4.go
View File

@@ -167,7 +167,7 @@ func doesPolicySignatureV4Match(formValues http.Header) APIErrorCode {
region := globalServerConfig.GetRegion()
// Parse credential tag.
credHeader, err := parseCredentialHeader("Credential=" + formValues.Get("X-Amz-Credential"))
credHeader, err := parseCredentialHeader("Credential="+formValues.Get("X-Amz-Credential"), region)
if err != ErrNone {
return ErrMissingFields
}
@@ -177,14 +177,8 @@ func doesPolicySignatureV4Match(formValues http.Header) APIErrorCode {
return ErrInvalidAccessKeyID
}
// Verify if the region is valid.
sRegion := credHeader.scope.region
if !isValidRegion(sRegion, region) {
return ErrInvalidRegion
}
// Get signing key.
signingKey := getSigningKey(cred.SecretKey, credHeader.scope.date, sRegion)
signingKey := getSigningKey(cred.SecretKey, credHeader.scope.date, credHeader.scope.region)
// Get signature.
newSignature := getSignature(signingKey, formValues.Get("Policy"))
@@ -209,7 +203,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
req := *r
// Parse request query string.
pSignValues, err := parsePreSignV4(req.URL.Query())
pSignValues, err := parsePreSignV4(req.URL.Query(), region)
if err != ErrNone {
return err
}
@@ -219,16 +213,6 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return ErrInvalidAccessKeyID
}
// Verify if region is valid.
sRegion := pSignValues.Credential.scope.region
// Should validate region, only if region is set.
if region == "" {
region = sRegion
}
if !isValidRegion(sRegion, region) {
return ErrInvalidRegion
}
// Extract all the signed headers along with its values.
extractedSignedHeaders, errCode := extractSignedHeaders(pSignValues.SignedHeaders, r)
if errCode != ErrNone {
@@ -260,7 +244,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
query.Set("X-Amz-Date", t.Format(iso8601Format))
query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
query.Set("X-Amz-SignedHeaders", getSignedHeaders(extractedSignedHeaders))
query.Set("X-Amz-Credential", cred.AccessKey+"/"+getScope(t, sRegion))
query.Set("X-Amz-Credential", cred.AccessKey+"/"+getScope(t, pSignValues.Credential.scope.region))
// Save other headers available in the request parameters.
for k, v := range req.URL.Query() {
@@ -292,7 +276,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
// Verify if sha256 payload query is same.
if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
if req.URL.Query().Get("X-Amz-Content-Sha256") != query.Get("X-Amz-Content-Sha256") {
return ErrSignatureDoesNotMatch
return ErrContentSHA256Mismatch
}
}
@@ -305,7 +289,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())
// Get hmac presigned signing key.
presignedSigningKey := getSigningKey(cred.SecretKey, pSignValues.Credential.scope.date, region)
presignedSigningKey := getSigningKey(cred.SecretKey, pSignValues.Credential.scope.date, pSignValues.Credential.scope.region)
// Get new signature.
newSignature := getSignature(presignedSigningKey, presignedStringToSign)
@@ -331,7 +315,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
v4Auth := req.Header.Get("Authorization")
// Parse signature version '4' header.
signV4Values, err := parseSignV4(v4Auth)
signV4Values, err := parseSignV4(v4Auth, region)
if err != ErrNone {
return err
}
@@ -347,20 +331,6 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
return ErrInvalidAccessKeyID
}
// Verify if region is valid.
sRegion := signV4Values.Credential.scope.region
// Region is set to be empty, we use whatever was sent by the
// request and proceed further. This is a work-around to address
// an important problem for ListBuckets() getting signed with
// different regions.
if region == "" {
region = sRegion
}
// Should validate region, only if region is set.
if !isValidRegion(sRegion, region) {
return ErrInvalidRegion
}
// Extract date, if not present throw error.
var date string
if date = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); date == "" {
@@ -384,7 +354,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
// Get hmac signing key.
signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region)
signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, signV4Values.Credential.scope.region)
// Calculate signature.
newSignature := getSignature(signingKey, stringToSign)