Compare commits
No commits in common. "70b9904e9132933996a259504254e427a604aa4a" and "b8c7a560ef339142607106649f8cef88def82fb8" have entirely different histories.
70b9904e91
...
b8c7a560ef
2 changed files with 14 additions and 9 deletions
|
|
@ -81,9 +81,11 @@ if [ -z "$SKIP_AWS" ]; then
|
|||
echo "Invalid multipart upload"
|
||||
exit 1
|
||||
fi
|
||||
aws s3api delete-object --bucket eprouvette --key upload
|
||||
fi
|
||||
|
||||
echo "OK!!"
|
||||
exit 0
|
||||
|
||||
# S3CMD
|
||||
if [ -z "$SKIP_S3CMD" ]; then
|
||||
echo "🛠️ Testing with s3cmd"
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ use std::convert::TryFrom;
|
|||
|
||||
use chrono::{DateTime, Duration, NaiveDateTime, TimeZone, Utc};
|
||||
use hmac::Mac;
|
||||
use hyper::header::{HeaderMap, HeaderName, HeaderValue, AUTHORIZATION, HOST};
|
||||
use hyper::header::{HeaderMap, HeaderName, HeaderValue, AUTHORIZATION, CONTENT_TYPE, HOST};
|
||||
use hyper::{body::Incoming as IncomingBody, Method, Request};
|
||||
use sha2::{Digest, Sha256};
|
||||
|
||||
|
|
@ -74,13 +74,12 @@ async fn check_standard_signature(
|
|||
let authorization = Authorization::parse_header(request.headers())?;
|
||||
|
||||
// Verify that all necessary request headers are included in signed_headers
|
||||
// The following must be included for all signatures:
|
||||
// For standard AWSv4 signatures, the following must be included:
|
||||
// - the Host header (mandatory)
|
||||
// - the Content-Type header, if it is used in the request
|
||||
// - all x-amz-* headers used in the request
|
||||
// AWS also indicates that the Content-Type header should be signed if
|
||||
// it is used, but Minio client doesn't sign it so we don't check it for compatibility.
|
||||
let signed_headers = split_signed_headers(&authorization)?;
|
||||
verify_signed_headers(request.headers(), &signed_headers)?;
|
||||
verify_signed_headers(request.headers(), &signed_headers, &[CONTENT_TYPE])?;
|
||||
|
||||
let canonical_request = canonical_request(
|
||||
service,
|
||||
|
|
@ -130,7 +129,7 @@ async fn check_presigned_signature(
|
|||
// - the Host header (mandatory)
|
||||
// - all x-amz-* headers used in the request
|
||||
let signed_headers = split_signed_headers(&authorization)?;
|
||||
verify_signed_headers(request.headers(), &signed_headers)?;
|
||||
verify_signed_headers(request.headers(), &signed_headers, &[])?;
|
||||
|
||||
// The X-Amz-Signature value is passed as a query parameter,
|
||||
// but the signature cannot be computed from a string that contains itself.
|
||||
|
|
@ -230,12 +229,16 @@ fn split_signed_headers(authorization: &Authorization) -> Result<Vec<HeaderName>
|
|||
Ok(signed_headers)
|
||||
}
|
||||
|
||||
fn verify_signed_headers(headers: &HeaderMap, signed_headers: &[HeaderName]) -> Result<(), Error> {
|
||||
fn verify_signed_headers(
|
||||
headers: &HeaderMap,
|
||||
signed_headers: &[HeaderName],
|
||||
extra_headers: &[HeaderName],
|
||||
) -> Result<(), Error> {
|
||||
if !signed_headers.contains(&HOST) {
|
||||
return Err(Error::bad_request("Header `Host` should be signed"));
|
||||
}
|
||||
for (name, _) in headers.iter() {
|
||||
if name.as_str().starts_with("x-amz-") {
|
||||
if name.as_str().starts_with("x-amz-") || extra_headers.contains(name) {
|
||||
if !signed_headers.contains(name) {
|
||||
return Err(Error::bad_request(format!(
|
||||
"Header `{}` should be signed",
|
||||
|
|
|
|||
Loading…
Reference in a new issue