MD5 is not checked if it's empty

mgomes / api_auth

HMAC authentication for Rails and HTTP Clients

MIT License

480 stars 147 forks source link

MD5 is not checked if it's empty #138

Closed caseyvu closed 7 years ago

caseyvu commented 7 years ago

At https://github.com/mgomes/api_auth/blob/master/lib/api_auth/headers.rb#L77

def md5_mismatch?
    if @request.content_md5.empty?
        false
    else
        @request.md5_mismatch?
    end
end

So the md5 is not checked if the header "Content-MD5" is empty. Which mean I can replace the payload, remove the Content-MD5 and get passed the check.

mgomes commented 7 years ago

The content-md5 header is indeed optional. However, if a client adds one, it can't be replaced as you suggested. You could remove it from the canonical string, but the Authorization header has already been hashed with the private key and includes the md5 signature.

caseyvu commented 7 years ago

silly me! thanks for the clarification