Check for value > 7 days in X-Amz-Expires header. (#5163)

Add a check to see if the X-Amz-Expires header in the presigned URL is less than 7 days.

Fixes #5162
master
kannappanr 7 years ago committed by Dee Koder
parent d10679866c
commit f460eceb6d
  1. 6
      cmd/api-errors.go
  2. 5
      cmd/signature-v4-parser.go
  3. 24
      cmd/signature-v4-parser_test.go

@ -120,6 +120,7 @@ const (
ErrBucketAlreadyExists
ErrMetadataTooLarge
ErrUnsupportedMetadata
ErrMaximumExpires
// Add new error codes here.
// Server-Side-Encryption (with Customer provided key) related API errors.
@ -725,6 +726,11 @@ var errorCodeResponse = map[APIErrorCode]APIError{
Description: errObjectTampered.Error(),
HTTPStatusCode: http.StatusPartialContent,
},
ErrMaximumExpires: {
Code: "AuthorizationQueryParametersError",
Description: "X-Amz-Expires must be less than a week (in seconds); that is, the given X-Amz-Expires must be less than 604800 seconds",
HTTPStatusCode: http.StatusBadRequest,
},
// Add your error structure here.
}

@ -188,6 +188,11 @@ func parsePreSignV4(query url.Values) (psv preSignValues, aec APIErrorCode) {
if preSignV4Values.Expires < 0 {
return psv, ErrNegativeExpires
}
// Check if Expiry time is less than 7 days (value in seconds).
if preSignV4Values.Expires.Seconds() > 604800 {
return psv, ErrMaximumExpires
}
// Save signed headers.
preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
if err != ErrNone {

@ -750,6 +750,30 @@ func TestParsePreSignV4(t *testing.T) {
},
expectedErrCode: ErrNone,
},
// Test case - 9.
// Test case with value greater than 604800 in X-Amz-Expires header.
{
inputQueryKeyVals: []string{
// valid "X-Amz-Algorithm" header.
"X-Amz-Algorithm", signV4Algorithm,
// valid "X-Amz-Credential" header.
"X-Amz-Credential", joinWithSlash(
"Z7IXGOO6BZ0REAN1Q26I",
sampleTimeStr,
"us-west-1",
"s3",
"aws4_request"),
// valid "X-Amz-Date" query.
"X-Amz-Date", queryTime.UTC().Format(iso8601Format),
// Invalid Expiry time greater than 7 days (604800 in seconds).
"X-Amz-Expires", getDurationStr(605000),
"X-Amz-Signature", "abcd",
"X-Amz-SignedHeaders", "host;x-amz-content-sha256;x-amz-date",
},
expectedPreSignValues: preSignValues{},
expectedErrCode: ErrMaximumExpires,
},
}
for i, testCase := range testCases {

Loading…
Cancel
Save