Date validation bypassed if 'Date' header missing (CVE-2015-8466)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Swift3 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
According to http://
If both are specified, the x-amz-date header takes precedence.
Right now, only the Date header is validated against expiry or skewed by more than 5 minutes. See _validate_headers function in request.py for validation code. x-amz-date should take precedence.
It appears that if the Date header is missing for any reason, then these checks are not done and the request would validate. Swift3 would then be vulnerable to a replay attack, since the request could be replayed at any time, even after expiry time, or after the skew period. This would be most likely to occur with a client that only uses the x-amz-date headers with Authorization requests.
I think the solution should be to a) validate the x-amz-date header. b) Respond with an error if the date/x-amz-date headers don't validate when the authorization header is sent. S3 returns the AccessDenied error 'AWS authentication requires a valid Date or x-amz-date header' if the header(s) are missing or malformed.
CVE References
summary: |
- Date validation bypassed if "Date' header missing + Date validation bypassed if 'Date' header missing |
Changed in swift3: | |
status: | New → Confirmed |
Changed in swift3: | |
status: | Confirmed → In Progress |
summary: |
- Date validation bypassed if 'Date' header missing + Date validation bypassed if 'Date' header missing (CVE-2015-8466) |
I didn't see this patch in detail yet but attach Darryl's patch I received via E-mail for discussion.