updown OAuth fails with valid credentials due to delayed timestamp verification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu One Servers |
Fix Released
|
High
|
Sidnei da Silva |
Bug Description
OAuth headers used to check the validity of the request contain the timestamp of the request to prevent reply attacks. It is working well (unless the client's time is completely off, but we are working around that in Ubuntu, Windows and Android clients). Usually all requests take less than 15 minutes (the default for oauth in updown).
Now client initiates PUT request which (depending on the client's bandwidth) may take much more than 15 minutes. By the time request is consumed by the server and gets processed, the timestamp is already off and request is discarded with OAuth error (which at the moment is handled incorrectly by redirecting to a html login page)
This is a cause of bug 879342 in deja-dup.
For deja-dup the speed needs to be at least 217kbps for 25Mb volume to complete uploading within 15 minutes.
visibility: | private → public |
Changed in ubuntuone-servers: | |
assignee: | nobody → Ubuntu One Ops+ team (ubuntuone-ops+) |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntuone-servers: | |
status: | New → Triaged |
tags: | added: ops+ |
Changed in ubuntuone-servers: | |
importance: | Undecided → High |
tags: | added: rest-api |
Changed in ubuntuone-servers: | |
assignee: | Ubuntu One Ops+ team (ubuntuone-ops+) → Vincenzo Di Somma (vds) |
status: | Triaged → In Progress |
Changed in ubuntuone-servers: | |
assignee: | Vincenzo Di Somma (vds) → Sidnei da Silva (sidnei) |
summary: |
- updown OAuth may fail with valid credentials + updown OAuth fails with valid credentials due to delayed timestamp + verification |
tags: | added: support |
description: | updated |
Changed in ubuntuone-servers: | |
assignee: | Sidnei da Silva (sidnei) → Roman Yepishev (rye) |
Changed in ubuntuone-servers: | |
assignee: | Roman Yepishev (rye) → Sidnei da Silva (sidnei) |
Changed in ubuntuone-servers: | |
status: | In Progress → Fix Released |
The reason for this behavior was found (thanks karni!).
OAuth headers used to check the validity of the request contain the timestamp of the request to prevent reply attacks. It is working well (unless the client's time is completely off, but we are working around that in Ubuntu, Windows and Android clients). Usually all requests take less than 5 minutes (the default for oauth).
Now client initiates PUT request which (depending on the client's bandwidth) may take much more than 5 minutes. By the time request is consumed by the server and gets processed, the timestamp is already off and request is discarded with OAuth error (which at the moment is handled incorrectly by redirecting to a html login page)