Skip to content


Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

wants to merge 2 commits into from

1 participant

loe commented

@bmo figured this out, I'm just the messenger.

The build method in QueryString calls #expires, and so does #encoded_canonical.

 # Keep in alphabetical order
 def build

If these calls lie on separate sides of a second tick the signature will be wrong. The solution is to memoize the first call so encoded_canonical uses the same value.

@j15e j15e added a commit to didacte/aws-sdk-ruby that referenced this pull request
@j15e j15e Ensure S3 presigned default expires time is not changing
It occurred to us that signatures end up invalid randomly because the default signature time is computed twice and we can end up with a policy that was signed for a policy with an expiration time 1 second earlier.

To be specific, the policy is computed twice inside the `fields` method which uses the `formation_expiration` twice too, which in turn computes `` at two different times.

@see marcel/aws-s3#54 (similar issue)
@j15e j15e referenced this pull request in aws/aws-sdk-ruby

Ensure S3 presigned default expires time is not changing #861

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 1, 2012
  1. @loe

    Memoize the expires time.

    loe committed
  2. @loe


    loe committed
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/aws/s3/authentication.rb
4 lib/aws/s3/authentication.rb
@@ -115,7 +115,7 @@ def initialize(*args)
# 3) The current time in seconds since the epoch plus the default number of seconds (60 seconds)
def expires
return options[:expires] if options[:expires]
- date.to_i + expires_in
+ @expires ||= date.to_i + expires_in
def expires_in
@@ -218,4 +218,4 @@ def only_path
Something went wrong with that request. Please try again.