Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

wants to merge 2 commits into

1 participant

loe commented Feb 1, 2012

@bmo figured this out, I'm just the messenger.

The build method in QueryString calls #expires, and so does #encoded_canonical.

 # Keep in alphabetical order
 def build

If these calls lie on separate sides of a second tick the signature will be wrong. The solution is to memoize the first call so encoded_canonical uses the same value.

@j15e j15e added a commit to didacte/aws-sdk-ruby that referenced this pull request Jul 3, 2015
@j15e j15e Ensure S3 presigned default expires time is not changing
It occurred to us that signatures end up invalid randomly because the default signature time is computed twice and we can end up with a policy that was signed for a policy with an expiration time 1 second earlier.

To be specific, the policy is computed twice inside the `fields` method which uses the `formation_expiration` twice too, which in turn computes `Time.now` at two different times.

@see marcel/aws-s3#54 (similar issue)
@j15e j15e referenced this pull request in aws/aws-sdk-ruby Jul 3, 2015

Ensure S3 presigned default expires time is not changing #861

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment