Swift3

  1. Bug #1497424
  2. Comment #15

Comment 15 for bug 1497424

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift3 (master)

Reviewed: https://review.openstack.org/255067
Committed: https://git.openstack.org/cgit/openstack/swift3/commit/?id=4fce274c50112e02360993c4eeaafe811fcc757c
Submitter: Jenkins
Branch: master

commit 4fce274c50112e02360993c4eeaafe811fcc757c
Author: Kota Tsuyuzaki <email address hidden>
Date: Wed Nov 25 14:16:06 2015 -0800

    Fix date validation

    According to [1] when an Authorization header is specified, either a
    Date or x-amz-date header needs to be specified, with the x-amz-date
    header taking precedence.

    Now, the x-amz-date header is validated first, and if both headers are
    missing, an AccessDenied error should be returned. This should prevent
    replay attacks occurring on valid requests that are missing the Date
    header.

    [1]
    http://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.
    html

    N.B. This also fixes some pylint issues and dependencies

    Closes-Bug: 1497424
    SecurityImpact
    [CVE-2015-8466]

    Co-Authored-By: Darryl Tam <email address hidden>
    Co-Authored-By: Tim Burke <email address hidden>

    Change-Id: Ibeff8503fa147e1cf08c1b5374aecee7a4c0bee2