Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

loe · 2012-02-01T00:36:33Z

@bmo figured this out, I'm just the messenger.

The build method in QueryString calls #expires, and so does #encoded_canonical.

 # Keep in alphabetical order
 def build
   "AWSAccessKeyId=#{access_key_id}&Expires=#{expires}&Signature=#{encoded_canonical}"
 end

If these calls lie on separate sides of a second tick the signature will be wrong. The solution is to memoize the first call so encoded_canonical uses the same value.

It occurred to us that signatures end up invalid randomly because the default signature time is computed twice and we can end up with a policy that was signed for a policy with an expiration time 1 second earlier. To be specific, the policy is computed twice inside the `fields` method which uses the `formation_expiration` twice too, which in turn computes `Time.now` at two different times. @see marcel/aws-s3#54 (similar issue)

loe added 2 commits January 31, 2012 16:32

Memoize the expires time.

40a4dd0

Style.

a7aedc3

j15e mentioned this pull request Jul 3, 2015

Ensure S3 presigned default expires time is not changing aws/aws-sdk-ruby#861

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

loe commented Feb 1, 2012

Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

Are you sure you want to change the base?

Expires time is calculated twice when using expires_in and can cause signature authentication problems #54

Conversation

loe commented Feb 1, 2012