Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Joss tempUrl generation broken, signed plainText mistakenly includes protocol and hostname #102

avi8tr opened this issue Apr 22, 2016 · 1 comment


Copy link

@avi8tr avi8tr commented Apr 22, 2016 explains how to construct TempURLs in python:

  1. import hmac
  2. from hashlib import sha1
  3. from time import time
  4. method = 'GET'
  5. expires = int(time() + 60)
  6. path = '/v1/AUTH_account/container/object'
  7. key = 'mykey'
  8. hmac_body = '%s\n%s\n%s' % (method, expires, path)
  9. sig =, hmac_body, sha1).hexdigest()

It adds "Be certain to use the full path, from the /v1/ onward."

Here are TempURL-related issues with Joss 0.9.11 that I found so far:
1)Joss 0.9.11 is signing a plaintext that includes i.e. the Joss signature will not match what the server side middleware calculates for comparison and the Joss tempURLs always fail. This may also apply to formPostUrls.
2) Python uses unicode, and it seems risky that Joss relies on the client's default charset to match for java.lang.String.getBytes() to return the same bytes as on the server side( for both key and plainText ); I'm not an expert here but getBytes("ISO-8859-1") or "UTF-8" should do; I chose UTF-8.
3) When I went about constructing a path string to encode, to match what the server would use upon receiving my tempURL, I expected account.getPath() to return the "path to append to the host", i.e. something like "/v1/AUTH_account, but for me it returned null. object.getPath() returned the expected "/container/object"

Copy link

@ferrys ferrys commented Jan 15, 2018

Fixed by #146

@ferrys ferrys closed this Jan 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants