It is possible with s3direct to sign arbitrary s3 operations against the bucket exposed via s3direct/evaporate, because get_aws_v4_signature just signs whatever hash you give it without validating the target key. So s3direct essentially makes any file in the bucket writeable. (This library should come with a giant red warning if regular end-users can upload publicly accessible content via s3direct)
It is possible with s3direct to sign arbitrary s3 operations against the bucket exposed via s3direct/evaporate, because
get_aws_v4_signaturejust signs whatever hash you give it without validating the target key. So s3direct essentially makes any file in the bucket writeable. (This library should come with a giant red warning if regular end-users can upload publicly accessible content via s3direct)This should pass canonicalRequest to the django view so the django view can validate the to_sign contains an acceptable URL path: https://github.com/bradleyg/django-s3direct/blob/master/src/index.js#L120
Discussion in evaporate issues from 2016 where they added canonicalRequest support for this purpose: https://github.com/TTLabs/EvaporateJS/issues/219#issuecomment-261657647