aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex <alex@adnab.me>2024-03-01 12:50:15 +0000
committerAlex <alex@adnab.me>2024-03-01 12:50:15 +0000
commit70b9904e9132933996a259504254e427a604aa4a (patch)
tree60e55896f3225ce5dc26bfc3d370daf7fd382338
parentb8c7a560ef339142607106649f8cef88def82fb8 (diff)
parenta36248a1695de02cc19b25ba127810bd32b6d350 (diff)
downloadgarage-70b9904e9132933996a259504254e427a604aa4a.tar.gz
garage-70b9904e9132933996a259504254e427a604aa4a.zip
Merge pull request 'AWS signatures v4: don't actually check Content-Type is signed' (#745) from fix-signed-headers into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/745
-rwxr-xr-xscript/test-smoke.sh4
-rw-r--r--src/api/signature/payload.rs19
2 files changed, 9 insertions, 14 deletions
diff --git a/script/test-smoke.sh b/script/test-smoke.sh
index 6965c0f3..9f9ea50c 100755
--- a/script/test-smoke.sh
+++ b/script/test-smoke.sh
@@ -81,11 +81,9 @@ if [ -z "$SKIP_AWS" ]; then
echo "Invalid multipart upload"
exit 1
fi
+ aws s3api delete-object --bucket eprouvette --key upload
fi
-echo "OK!!"
-exit 0
-
# S3CMD
if [ -z "$SKIP_S3CMD" ]; then
echo "🛠️ Testing with s3cmd"
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index a9e7d34d..0029716a 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -3,7 +3,7 @@ use std::convert::TryFrom;
use chrono::{DateTime, Duration, NaiveDateTime, TimeZone, Utc};
use hmac::Mac;
-use hyper::header::{HeaderMap, HeaderName, HeaderValue, AUTHORIZATION, CONTENT_TYPE, HOST};
+use hyper::header::{HeaderMap, HeaderName, HeaderValue, AUTHORIZATION, HOST};
use hyper::{body::Incoming as IncomingBody, Method, Request};
use sha2::{Digest, Sha256};
@@ -74,12 +74,13 @@ async fn check_standard_signature(
let authorization = Authorization::parse_header(request.headers())?;
// Verify that all necessary request headers are included in signed_headers
- // For standard AWSv4 signatures, the following must be included:
+ // The following must be included for all signatures:
// - the Host header (mandatory)
- // - the Content-Type header, if it is used in the request
// - all x-amz-* headers used in the request
+ // AWS also indicates that the Content-Type header should be signed if
+ // it is used, but Minio client doesn't sign it so we don't check it for compatibility.
let signed_headers = split_signed_headers(&authorization)?;
- verify_signed_headers(request.headers(), &signed_headers, &[CONTENT_TYPE])?;
+ verify_signed_headers(request.headers(), &signed_headers)?;
let canonical_request = canonical_request(
service,
@@ -129,7 +130,7 @@ async fn check_presigned_signature(
// - the Host header (mandatory)
// - all x-amz-* headers used in the request
let signed_headers = split_signed_headers(&authorization)?;
- verify_signed_headers(request.headers(), &signed_headers, &[])?;
+ verify_signed_headers(request.headers(), &signed_headers)?;
// The X-Amz-Signature value is passed as a query parameter,
// but the signature cannot be computed from a string that contains itself.
@@ -229,16 +230,12 @@ fn split_signed_headers(authorization: &Authorization) -> Result<Vec<HeaderName>
Ok(signed_headers)
}
-fn verify_signed_headers(
- headers: &HeaderMap,
- signed_headers: &[HeaderName],
- extra_headers: &[HeaderName],
-) -> Result<(), Error> {
+fn verify_signed_headers(headers: &HeaderMap, signed_headers: &[HeaderName]) -> Result<(), Error> {
if !signed_headers.contains(&HOST) {
return Err(Error::bad_request("Header `Host` should be signed"));
}
for (name, _) in headers.iter() {
- if name.as_str().starts_with("x-amz-") || extra_headers.contains(name) {
+ if name.as_str().starts_with("x-amz-") {
if !signed_headers.contains(name) {
return Err(Error::bad_request(format!(
"Header `{}` should be signed",