jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Klimetschek (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OAK-7692) [DirectBinaryAccess] Upload token HMAC signature must be base64 encoded
Date Wed, 08 Aug 2018 23:34:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-7692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16574030#comment-16574030
] 

Alexander Klimetschek edited comment on OAK-7692 at 8/8/18 11:33 PM:
---------------------------------------------------------------------

[~mreutegg] Fix including unit test available [here|https://github.com/mattvryan/jackrabbit-oak/pull/14],
and as [patch file|https://patch-diff.githubusercontent.com/raw/mattvryan/jackrabbit-oak/pull/14.diff].

Note that I also made all the exception messages for an invalid token the same ("Invalid
upload token") so that possibly attacking clients don't get too much information.


was (Author: alexander.klimetschek):
[~mreutegg] Fix including unit test available [here|https://github.com/mattvryan/jackrabbit-oak/pull/14],
and as [patch file|https://patch-diff.githubusercontent.com/raw/mattvryan/jackrabbit-oak/pull/14.diff].

> [DirectBinaryAccess] Upload token HMAC signature must be base64 encoded
> -----------------------------------------------------------------------
>
>                 Key: OAK-7692
>                 URL: https://issues.apache.org/jira/browse/OAK-7692
>             Project: Jackrabbit Oak
>          Issue Type: Technical task
>          Components: blob-plugins
>            Reporter: Alexander Klimetschek
>            Assignee: Alexander Klimetschek
>            Priority: Major
>
> The upload token's hmac signature (after the #) is not base64 encoded. This might create
problems for clients passing that string around if it can contain non-ascii characters.
> Example:
> {noformat}
> ZDI4Zi1[...]jcuNzg3Wg==#i�_�\��?��S��,0:�
> {noformat}
> Code is [here|https://github.com/mattvryan/jackrabbit-oak/blob/trunk/oak-blob-plugins/src/main/java/org/apache/jackrabbit/oak/plugins/blob/datastore/directaccess/DataRecordUploadToken.java#L147-L148].
> Should probably do a {{Base64.encode()}} of the {{hash}} result of the hmac.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message