Verify both 'x-amz-date' and 'date' header before discarding request

master
Harshavardhana 10 years ago
parent 62648c8636
commit 8087ca2450
  1. 13
      pkg/utils/crypto/signers/signers.go

@ -34,8 +34,11 @@ func SignRequest(user config.User, req *http.Request) {
// This package implements verification side of Object API Signature request
func ValidateRequest(user config.User, req *http.Request) (bool, error) {
if date := req.Header.Get("Date"); date == "" {
return false, fmt.Errorf("Date should be set")
// Verify if date headers are set, if not reject the request
if req.Header.Get("x-amz-date") == "" {
if req.Header.Get("Date") == "" {
return false, fmt.Errorf("Date should be set")
}
}
hm := hmac.New(sha1.New, []byte(user.SecretKey))
ss := getStringToSign(req)
@ -48,9 +51,9 @@ func ValidateRequest(user config.User, req *http.Request) (bool, error) {
encoder.Close()
// DEBUG
// fmt.Println("Request header sent: ", req.Header.Get("Authorization"))
// fmt.Println("Header calculated: ", authHeader.String())
// fmt.Printf("%q : %x", ss, ss)
//fmt.Println("Request header sent: ", req.Header.Get("Authorization"))
//fmt.Println("Header calculated: ", authHeader.String())
//fmt.Printf("%q : %x", ss, ss)
if req.Header.Get("Authorization") != authHeader.String() {
return false, fmt.Errorf("Authorization header mismatch")
}

Loading…
Cancel
Save