validate region from S3 redirect response in S3RegionRedirector#3722
Open
metsw24-max wants to merge 1 commit into
Open
validate region from S3 redirect response in S3RegionRedirector#3722metsw24-max wants to merge 1 commit into
metsw24-max wants to merge 1 commit into
Conversation
S3RegionRedirectorv2 already runs validate_region_name on the region taken from a redirect response; apply the same check in the deprecated S3RegionRedirector so the server-supplied value is validated before it reaches endpoint resolution and request signing.
Author
|
any update? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unvalidated bucket region in S3RegionRedirector
The deprecated
S3RegionRedirector.get_bucket_regionreturns the region taken from a redirect response (thex-amz-bucket-regionheader, the error bodyRegion, or the HeadBucket fallback) as-is, whereas its replacementS3RegionRedirectorv2already runsvalidate_region_nameon the same value. The two classes therefore disagree on whether a server-supplied region is checked. That region then feeds endpoint resolution, the rewritten request URL and the SigV4 signing region, so an untrusted or misbehaving endpoint can push an arbitrary string through this path. I have kept the change to the v2 behaviour and applied the samevalidate_region_namecall; nothing else in the flow changes. Added unit cover for the three sources. The class is deprecated, but it is still importable and used by third parties, so bringing it in line seems worthwhile.