Skip to content

Commit efc0a9c

Browse files
jonathan343jonathan343
authored
auth: exclude additional hop-by-hop headers from SigV4 signingwq (aws#10123)
1 parent d9ce800 commit efc0a9c

3 files changed

Lines changed: 43 additions & 1 deletion

File tree

.changes/next-release/enhancement-auth-13800.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"type": "enhancement",
3+
"category": "auth",
4+
"description": "Exclude additional hop-by-hop headers from SigV4 signing to prevent signature mismatches when intermediaries mutate transport headers (connection, keep-alive, proxy-authenticate, proxy-authorization, TE, trailer, upgrade)."
5+
}

awscli/botocore/auth.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,15 @@
5757
ISO8601 = '%Y-%m-%dT%H:%M:%SZ'
5858
SIGV4_TIMESTAMP = '%Y%m%dT%H%M%SZ'
5959
SIGNED_HEADERS_BLACKLIST = [
60+
'connection',
6061
'expect',
62+
'keep-alive',
63+
'proxy-authenticate',
64+
'proxy-authorization',
65+
'te',
66+
'trailer',
6167
'transfer-encoding',
68+
'upgrade',
6269
'user-agent',
6370
'x-amzn-trace-id',
6471
]

tests/unit/botocore/auth/test_signers.py

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,12 @@ def _test_blocklist_header(self, header, value):
239239
)
240240
auth = self.AuthClass(credentials, 's3', 'us-east-1')
241241
auth.add_auth(request)
242-
self.assertNotIn(header, request.headers['Authorization'])
242+
signed_headers = (
243+
request.headers['Authorization']
244+
.split('SignedHeaders=', 1)[1]
245+
.split(',', 1)[0]
246+
)
247+
self.assertNotIn(header.lower(), signed_headers.split(';'))
243248

244249
def test_blocklist_expect_headers(self):
245250
self._test_blocklist_header('expect', '100-continue')
@@ -255,6 +260,31 @@ def test_blocklist_user_agent_header(self):
255260
def test_blocklist_transfer_encoding_header(self):
256261
self._test_blocklist_header('transfer-encoding', 'chunked')
257262

263+
def test_blocklist_connection_header(self):
264+
self._test_blocklist_header('connection', 'keep-alive')
265+
266+
def test_blocklist_keep_alive_header(self):
267+
self._test_blocklist_header('keep-alive', 'timeout=5')
268+
269+
def test_blocklist_proxy_authenticate_header(self):
270+
self._test_blocklist_header(
271+
'proxy-authenticate', 'Basic realm="proxy.example.com"'
272+
)
273+
274+
def test_blocklist_proxy_authorization_header(self):
275+
self._test_blocklist_header(
276+
'proxy-authorization', 'Basic YWxhZGRpbjpvcGVuc2VzYW1l'
277+
)
278+
279+
def test_blocklist_te_header(self):
280+
self._test_blocklist_header('te', 'trailers')
281+
282+
def test_blocklist_trailer_header(self):
283+
self._test_blocklist_header('trailer', 'x-amz-checksum-sha256')
284+
285+
def test_blocklist_upgrade_header(self):
286+
self._test_blocklist_header('upgrade', 'websocket')
287+
258288
def test_uses_sha256_if_config_value_is_true(self):
259289
self.client_config.s3['payload_signing_enabled'] = True
260290
self.auth.add_auth(self.request)

0 commit comments

Comments
 (0)