From 2b5173f61790812e3dd8513aa5a1a63fce9cd2bf Mon Sep 17 00:00:00 2001 From: Andrew Gaul Date: Mon, 15 Oct 2012 11:42:28 -0700 Subject: [PATCH] Remove X-Auth-Token from HP temporary signing HP Cloud does not use X-Auth-Token for temporary signed URLs and leaking this allows clients arbitrary privileges until token timeout. --- .../blobstore/HPCloudObjectStorageBlobRequestSigner.java | 5 ++++- .../blobstore/HPCloudObjectStorageBlobSignerExpectTest.java | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java b/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java index 571afa742d..a321211caa 100644 --- a/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java +++ b/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java @@ -21,6 +21,7 @@ package org.jclouds.hpcloud.objectstorage.blobstore; import static com.google.common.base.Preconditions.checkArgument; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Predicates.instanceOf; +import static com.google.common.base.Predicates.not; import static com.google.common.collect.Iterables.filter; import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest; @@ -142,7 +143,9 @@ public class HPCloudObjectStorageBlobRequestSigner implements BlobRequestSigner private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) { HttpRequest.Builder builder = request.toBuilder(); - builder.filters(filter(request.getFilters(), instanceOf(AuthenticateRequest.class))); + // HP Cloud does not use X-Auth-Token for temporary signed URLs and + // leaking this allows clients arbitrary privileges until token timeout. + builder.filters(filter(request.getFilters(), not(instanceOf(AuthenticateRequest.class)))); long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds; String signature = createSignature(secretKey, createStringToSign( diff --git a/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java b/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java index 54c6caad37..51bf2a44be 100644 --- a/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java +++ b/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java @@ -61,7 +61,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe protected HttpRequest getBlobWithTime() { return HttpRequest.builder().method("GET") .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792") - .addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build(); + .build(); } @Override @@ -82,7 +82,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe protected HttpRequest putBlobWithTime() { return HttpRequest.builder().method("PUT") .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792") - .addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build(); + .build(); } @Override