Closed caseyvu closed 7 years ago
The content-md5
header is indeed optional. However, if a client adds one, it can't be replaced as you suggested. You could remove it from the canonical string, but the Authorization
header has already been hashed with the private key and includes the md5 signature.
silly me! thanks for the clarification
At https://github.com/mgomes/api_auth/blob/master/lib/api_auth/headers.rb#L77
So the md5 is not checked if the header "Content-MD5" is empty. Which mean I can replace the payload, remove the Content-MD5 and get passed the check.