Giter VIP home page Giter VIP logo

Comments (3)

kherock avatar kherock commented on May 26, 2024

This just means that we need to support options and metadata specified through query parameters instead of headers right? What happens to metadata specified through HTTP headers? I'm guessing that normally S3 responds with a 403 because the signature won't match, but we don't do signing yet.

from s3rver.

kherock avatar kherock commented on May 26, 2024

Hey, I finally had some time to research (and look into implementing) this, but I think the specific example you gave with Content-Type doesn't actually work due to how request signing works. Omitting custom metadata works fine, but traditional headers (like Content-Type or Content-Disposition) must be specified as headers or else S3 will throw SignatureDoesNotMatch.

Anyway, if this sounds incorrect let me know. My plan is do perform faux-signature matching by ensuring that the metadata specified in query params match those specified in headers, with the exception of omitted x-amz-* headers.

from s3rver.

kherock avatar kherock commented on May 26, 2024

This is actually more nuanced than I expected. So far I've determined the following behavior (most of it can be derived from here):

For a field in the query params starting with x-amz-*

  • use the value specified in the query params, ignore matching fields specified in the request headers

For a field in the query params or request headers not starting with x-amz-* (except for Content-Type and Content-MD5)

  • (interestingly) completely ignore them in signature verification
    • AWS doesn't include these headers when calculating the signature since adding/removing these fields from both query params and headers has no effect on the validity of the signature

For Content-MD5 and Content-Type in query params

  • values are ignored, AWS will only consider the values specified in request headers
  • reports SignatureDoesNotMatch if there isn't an exact match in the request headers
    • This includes omitting the header if the signature is calculated without Content-Type header

For a field in the request headers starting with x-amz-*

  • only report a mismatch if it was present in the signed canonical request but not included as a query param
  • ignore the value if the field is present as a query param

Once this is done I'll probably open a new issue tracking proper verification of request signatures.

from s3rver.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.