AWS: Fix S3V4RestSignerClient cache key to include all request components #15171
+136
−41
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ents Fixes apache#15166. The cache key for signed responses only included method, region, and URI, but not headers like `x-amz-content-sha256` that are part of the signature. This caused 403 errors when different content was uploaded to the same URI within the cache TTL. This fix uses the full `S3SignRequest` as the cache key. This is the only 100% safe option because we cannot know which headers the server will sign and which ones it will ignore; any header included in the signature *must* be part of the cache key. **This change reduces cache efficiency**; but that's the price to pay for correctness.
Contributor
|
Makes sense: it's up to the server to decide what to sign, as long as the final signature is valid. I'd like the referrer header to be stripped out in the example servlet FWIW; We use it for adding audit information with every request and it has no security ramifications |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #15166.
The cache key for signed responses only included method, region, and URI, but not headers like
x-amz-content-sha256that are part of the signature. This caused 403 errors when different content was uploaded to the same URI within the cache TTL.This fix uses the full
S3SignRequestas the cache key. This is the only 100% safe option because we cannot know which headers the server will sign and which ones it will ignore; any header included in the signature must be part of the cache key.This change reduces cache efficiency; but that's the price to pay for correctness.