From 32201a18abe816b18e184bcc8f07e637a583151e Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Fri, 9 Sep 2016 23:33:35 +0100 Subject: [PATCH] Forbid requests generated at least 15 min in the past or in the future (#2648) --- cmd/generic-handlers.go | 7 ++++--- cmd/globals.go | 7 +++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go index c91c3e0c8..2c38c6c71 100644 --- a/cmd/generic-handlers.go +++ b/cmd/generic-handlers.go @@ -198,9 +198,10 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { writeErrorResponse(w, r, apiErr, r.URL.Path) return } - // Verify if the request date header is more than 5minutes - // late, reject such clients. - if time.Now().UTC().Sub(amzDate)/time.Minute > time.Duration(5)*time.Minute { + // Verify if the request date header is shifted by less than maxSkewTime parameter in the past + // or in the future, reject request otherwise. + curTime := time.Now().UTC() + if curTime.Sub(amzDate) > maxSkewTime || amzDate.Sub(curTime) > maxSkewTime { writeErrorResponse(w, r, ErrRequestTimeTooSkewed, r.URL.Path) return } diff --git a/cmd/globals.go b/cmd/globals.go index 136a53580..625ba1925 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -17,6 +17,8 @@ package cmd import ( + "time" + "github.com/fatih/color" "github.com/minio/minio/pkg/objcache" ) @@ -58,6 +60,11 @@ var ( maxFormFieldSize = int64(1024 * 1024) ) +var ( + // The maximum allowed difference between the request generation time and the server processing time + maxSkewTime = 15 * time.Minute +) + // global colors. var ( colorBlue = color.New(color.FgBlue).SprintfFunc()