Payload not signed if transferred securely via HTTPS

dacut / python-aws-sig

AWS signature validation routines for Python

Apache License 2.0

9 stars 1 forks source link

Payload not signed if transferred securely via HTTPS #3

Closed slyapustin closed 5 years ago

slyapustin commented 5 years ago

UNSIGNED-PAYLOAD string should be used instead of content hash if transferred via HTTPS

Here some related discussion: https://forums.aws.amazon.com/thread.jspa?threadID=226622

dacut commented 5 years ago

This is for aws-sigv4s3, which is a slight variant of aws-sigv4. Let me take a look at a few other things in the codepath; I especially want to make sure we handle paths correctly in the different aws-sigv4s3 vs aws-sigv4 cases (notably, // -> / in aws-sigv4, but not aws-sigv4s3; there might be other things, like how URL encoding is handled).

dacut commented 5 years ago

Support for this now exists in a separate class, AWSSigV4S3Verifier.