Comments (3)
This just means that we need to support options and metadata specified through query parameters instead of headers right? What happens to metadata specified through HTTP headers? I'm guessing that normally S3 responds with a 403
because the signature won't match, but we don't do signing yet.
from s3rver.
Hey, I finally had some time to research (and look into implementing) this, but I think the specific example you gave with Content-Type
doesn't actually work due to how request signing works. Omitting custom metadata works fine, but traditional headers (like Content-Type
or Content-Disposition
) must be specified as headers or else S3 will throw SignatureDoesNotMatch
.
Anyway, if this sounds incorrect let me know. My plan is do perform faux-signature matching by ensuring that the metadata specified in query params match those specified in headers, with the exception of omitted x-amz-*
headers.
from s3rver.
This is actually more nuanced than I expected. So far I've determined the following behavior (most of it can be derived from here):
For a field in the query params starting with x-amz-*
- use the value specified in the query params, ignore matching fields specified in the request headers
For a field in the query params or request headers not starting with x-amz-*
(except for Content-Type
and Content-MD5
)
- (interestingly) completely ignore them in signature verification
- AWS doesn't include these headers when calculating the signature since adding/removing these fields from both query params and headers has no effect on the validity of the signature
For Content-MD5
and Content-Type
in query params
- values are ignored, AWS will only consider the values specified in request headers
- reports
SignatureDoesNotMatch
if there isn't an exact match in the request headers- This includes omitting the header if the signature is calculated without
Content-Type
header
- This includes omitting the header if the signature is calculated without
For a field in the request headers starting with x-amz-*
- only report a mismatch if it was present in the signed canonical request but not included as a query param
- ignore the value if the field is present as a query param
Once this is done I'll probably open a new issue tracking proper verification of request signatures.
from s3rver.
Related Issues (20)
- Signature doesn't seem to be checked HOT 1
- Project inactive? HOT 10
- replace moment.js with maintaned date library HOT 2
- vhostBuckets Documentation Confusing HOT 2
- Close Stale Issues/PRs HOT 5
- Error = A parameter you provided functionality that in not implemented HOT 6
- Error: fopen(httpseek://): failed to open stream ... HOT 4
- Storage Class not being respected HOT 5
- Question: Is s3rver a s3 "private" / "public" or both? HOT 1
- key should be Key, capitalized, following the AWS SDK documentation HOT 4
- Content Range header not returned when requested range is 'bytes=0-' HOT 1
- Dependency Dashboard
- Failed to upload large file (53Mb)
- Apparent race condition deleting objects results in ENOENT HOT 1
- Custom Store
- attention on files contains url ecoding putcopy function need decodeURIComponent
- Security Issue in Dependency - CVE-2022-24434 HOT 4
- Feature request - storing/retrieving checksum metadata (x-amz-checksum) inside object attributes
- Simulate slow fetch
- fast-xml-parser vulnerable to prototype pollution SNYK-JS-FASTXMLPARSER-3325616 sonatype-2023-0998
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3rver.