Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Joss tempUrl generation broken, signed plainText mistakenly includes protocol and hostname #102

Closed
avi8tr opened this Issue Apr 22, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@avi8tr
Copy link

avi8tr commented Apr 22, 2016

https://github.com/openstack/swift/blob/master/swift/common/middleware/tempurl.py explains how to construct TempURLs in python:

  1. import hmac
    
  2. from hashlib import sha1
    
  3. from time import time
    
  4. method = 'GET'
    
  5. expires = int(time() + 60)
    
  6. path = '/v1/AUTH_account/container/object'
    
  7. key = 'mykey'
    
  8. hmac_body = '%s\n%s\n%s' % (method, expires, path)
    
  9. sig = hmac.new(key, hmac_body, sha1).hexdigest()
    

It adds "Be certain to use the full path, from the /v1/ onward."

Here are TempURL-related issues with Joss 0.9.11 that I found so far:
1)Joss 0.9.11 is signing a plaintext that includes https://the.storage.url i.e. the Joss signature will not match what the server side middleware calculates for comparison and the Joss tempURLs always fail. This may also apply to formPostUrls.
2) Python uses unicode, and it seems risky that Joss relies on the client's default charset to match for java.lang.String.getBytes() to return the same bytes as on the server side( for both key and plainText ); I'm not an expert here but getBytes("ISO-8859-1") or "UTF-8" should do; I chose UTF-8.
3) When I went about constructing a path string to encode, to match what the server would use upon receiving my tempURL, I expected account.getPath() to return the "path to append to the host", i.e. something like "/v1/AUTH_account, but for me it returned null. object.getPath() returned the expected "/container/object"

@ferrys

This comment has been minimized.

Copy link
Contributor

ferrys commented Jan 15, 2018

Fixed by #146

@ferrys ferrys closed this Jan 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.