-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
don't sign empty headers (as they are discarded by libcurl) #555
Conversation
src/curl.cpp
Outdated
@@ -4162,6 +4166,10 @@ string get_canonical_headers(const struct curl_slist* list) | |||
if(string::npos != (pos = strhead.find(':', 0))){ | |||
string strkey = trim(lower(strhead.substr(0, pos))); | |||
string strval = trim(strhead.substr(pos + 1)); | |||
if (trim(strval).empty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need these calls to trim
? You called it above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, will fix (and the below case as well).
Thanks!
src/curl.cpp
Outdated
@@ -4187,6 +4195,10 @@ string get_canonical_headers(const struct curl_slist* list, bool only_amz) | |||
if(string::npos != (pos = strhead.find(':', 0))){ | |||
string strkey = trim(lower(strhead.substr(0, pos))); | |||
string strval = trim(strhead.substr(pos + 1)); | |||
if (trim(strval).empty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please squash commits.
d7ffe30
to
3bcca75
Compare
@orozery Thanks! |
Details
The AWSv4 signature function signs all request headers, including those with an empty string value.
Those headers with empty value are later discarded by libcurl (i.e. they are not sent to the s3 server).
This lead to a situation of a bad signature.
For example, this invalid request was generated:
POST /ozeri/rand10m5?uploads= HTTP/1.1
host: <...>
User-Agent: s3fs/1.80 (commit hash unknown; OpenSSL)
Authorization: AWS4-HMAC-SHA256 Credential=<...>, SignedHeaders=accept;content-length;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-meta-gid;x-amz-meta-mode;x-amz-meta-mtime;x-amz-meta-uid, Signature=<...>
Content-Type: application/octet-stream
x-amz-acl: private
x-amz-content-sha256: <...>
x-amz-date: <...>
x-amz-meta-gid: 0
x-amz-meta-mode: 33188
x-amz-meta-mtime: <...>
x-amz-meta-uid: 0
Note that the Authorization string contains accept;content-length in the signedheaders list, but this headers don't actually appear in the request.