commit 423f96293b6eb43504b5370e893c280697ed23c9
Author: Tim Burke <email address hidden>
Date: Tue Dec 11 15:29:35 2018 -0800
Verify client input for v4 signatures
This is a combination of 2 commits.
==========
Previously, we would use the X-Amz-Content-SHA256 value when calculating
signatures, but wouldn't actually check the content that was sent. This
would allow a malicious third party that managed to capture the headers
for an object upload to overwrite that with arbitrary content provided
they could do so within the 5-minute clock-skew window.
Now, we wrap the wsgi.input that's sent on to the proxy-server app to
hash content as it's read and raise an error if there's a mismatch. Note
that clients using presigned-urls to upload have no defense against a
similar replay attack.
Notwithstanding the above security consideration, this *also* provides
better assurances that the client's payload was received correctly. Note
that this *does not* attempt to send an etag in footers, however, so the
proxy-to-object-server connection is not guarded against bit-flips.
In the future, Swift will hopefully grow a way to perform SHA256
verification on the object-server. This would offer two main benefits:
- End-to-end message integrity checking.
- Move CPU load of calculating the hash from the proxy (which is
somewhat CPU-bound) to the object-server (which tends to have CPU to
spare).
Closes-Bug: 1765834
(cherry picked from commit 3a8f5dbf9c49fdf1cf2d0b7ba35b82f25f88e634)
----------
s3api: Allow clients to upload with UNSIGNED-PAYLOAD
(Some versions of?) awscli/boto3 will do v4 signatures but send a
Content-MD5 for end-to-end validation. Since a X-Amz-Content-SHA256
is still required to calculate signatures, it uses UNSIGNED-PAYLOAD
similar to how signatures work for pre-signed URLs.
Look for UNSIGNED-PAYLOAD and skip SHA256 validation if set.
(cherry picked from commit 82e446a8a0c0fd6a81f06717b76ed3d1be26a281)
(cherry picked from commit 6ed165cf3f65329beaef9977a5fec24ce3ac0b39)
Reviewed: https:/ /review. opendev. org/689883 /git.openstack. org/cgit/ openstack/ swift/commit/ ?id=423f96293b6 eb43504b5370e89 3c280697ed23c9
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 423f96293b6eb43 504b5370e893c28 0697ed23c9
Author: Tim Burke <email address hidden>
Date: Tue Dec 11 15:29:35 2018 -0800
Verify client input for v4 signatures
This is a combination of 2 commits.
==========
Previously, we would use the X-Amz-Content- SHA256 value when calculating
signatures, but wouldn't actually check the content that was sent. This
would allow a malicious third party that managed to capture the headers
for an object upload to overwrite that with arbitrary content provided
they could do so within the 5-minute clock-skew window.
Now, we wrap the wsgi.input that's sent on to the proxy-server app to
hash content as it's read and raise an error if there's a mismatch. Note
that clients using presigned-urls to upload have no defense against a
similar replay attack.
Notwithstanding the above security consideration, this *also* provides to-object- server connection is not guarded against bit-flips.
better assurances that the client's payload was received correctly. Note
that this *does not* attempt to send an etag in footers, however, so the
proxy-
In the future, Swift will hopefully grow a way to perform SHA256
verification on the object-server. This would offer two main benefits:
- End-to-end message integrity checking.
- Move CPU load of calculating the hash from the proxy (which is
somewhat CPU-bound) to the object-server (which tends to have CPU to
spare).
Closes-Bug: 1765834 1cf2d0b7ba35b82 f25f88e634)
(cherry picked from commit 3a8f5dbf9c49fdf
----------
s3api: Allow clients to upload with UNSIGNED-PAYLOAD
(Some versions of?) awscli/boto3 will do v4 signatures but send a SHA256
Content-MD5 for end-to-end validation. Since a X-Amz-Content-
is still required to calculate signatures, it uses UNSIGNED-PAYLOAD
similar to how signatures work for pre-signed URLs.
Look for UNSIGNED-PAYLOAD and skip SHA256 validation if set.
(cherry picked from commit 82e446a8a0c0fd6 a81f06717b76ed3 d1be26a281) beaef9977a5fec2 4ce3ac0b39)
(cherry picked from commit 6ed165cf3f65329
==========
Change-Id: I61eb12455c3737 6be4d739eee55a5 f439216f0e9