Skip to content

Expires time is calculated twice when using expires_in and can cause signature authentication problems#54

Open
loe wants to merge 2 commits into
marcel:masterfrom
loe:master
Open

Expires time is calculated twice when using expires_in and can cause signature authentication problems#54
loe wants to merge 2 commits into
marcel:masterfrom
loe:master

Conversation

@loe
Copy link
Copy Markdown

@loe loe commented Feb 1, 2012

@bmo figured this out, I'm just the messenger.

The build method in QueryString calls #expires, and so does #encoded_canonical.

 # Keep in alphabetical order
 def build
   "AWSAccessKeyId=#{access_key_id}&Expires=#{expires}&Signature=#{encoded_canonical}"
 end

If these calls lie on separate sides of a second tick the signature will be wrong. The solution is to memoize the first call so encoded_canonical uses the same value.

j15e added a commit to didacte/aws-sdk-ruby that referenced this pull request Jul 3, 2015
@j15e
Ensure S3 presigned default expires time is not changing
3a09755 
It occurred to us that signatures end up invalid randomly because the default signature time is computed twice and we can end up with a policy that was signed for a policy with an expiration time 1 second earlier.

To be specific, the policy is computed twice inside the `fields` method which uses the `formation_expiration` twice too, which in turn computes `Time.now` at two different times.

@see marcel/aws-s3#54 (similar issue)
@j15e j15e mentioned this pull request Jul 3, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@loe