From b5eb17dbde21d3468e3f7116990606aa07acf531 Mon Sep 17 00:00:00 2001 From: Darryl Tam Date: Fri, 18 Sep 2015 15:58:19 -0700 Subject: [PATCH] Fix date validation According to [1] when an Authorization header is specified, either a Date or x-amz-date header needs to be specified, with the x-amz-date header taking precedence. Now, the x-amz-date header is validated first, and if both headers are missing, an AccessDenied error should be returned. This should prevent replay attacks occuring on valid requests that are missing the Date header. [1] http://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html Closes-Bug: 1497424 SecurityImpact Change-Id: Ibeff8503fa147e1cf08c1b5374aecee7a4c0bee2 --- swift3/request.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/swift3/request.py b/swift3/request.py index d99c3a8..b54c460 100644 --- a/swift3/request.py +++ b/swift3/request.py @@ -186,9 +186,11 @@ class Request(swob.Request): raise InvalidArgument('Content-Length', self.environ['CONTENT_LENGTH']) - if 'Date' in self.headers: + date_header = self.headers.get('x-amz-date', + self.headers.get('Date', None)) + if date_header: now = datetime.datetime.utcnow() - date = email.utils.parsedate(self.headers['Date']) + date = email.utils.parsedate(date_header) if 'Expires' in self.params: try: d = email.utils.formatdate(float(self.params['Expires'])) @@ -213,7 +215,11 @@ class Request(swob.Request): if abs(d1 - now) > delta: raise RequestTimeTooSkewed() else: - raise AccessDenied() + raise AccessDenied('AWS authentication requires a valid Date ' + 'or x-amz-date header') + else: + raise AccessDenied('AWS authentication requires a valid Date ' + 'or x-amz-date header') if 'Content-MD5' in self.headers: value = self.headers['Content-MD5'] -- 2.4.1