Sanity check Date header

References #5.
2014-08-21 12:27:41 -07:00 · 2014-08-21 12:27:41 -07:00 · 90261c1ce7
commit 90261c1ce7
--- a/src/main/java/org/gaul/s3proxy/S3ErrorCode.java
+++ b/src/main/java/org/gaul/s3proxy/S3ErrorCode.java
@ -26,6 +26,7 @@ import com.google.common.base.Preconditions;
 * http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
 */
 enum S3ErrorCode {
+    ACCESS_DENIED(HttpServletResponse.SC_FORBIDDEN, "Forbidden"),
    BUCKET_ALREADY_EXISTS(HttpServletResponse.SC_FORBIDDEN,
            "The requested bucket name is not available." +
            " The bucket namespace is shared by all users of the system." +
@ -48,6 +49,7 @@ enum S3ErrorCode {
            "Length Required"),
    NO_SUCH_BUCKET(HttpServletResponse.SC_NOT_FOUND, "Not Found"),
    NO_SUCH_KEY(HttpServletResponse.SC_NOT_FOUND, "Not Found"),
+    REQUEST_TIME_TOO_SKEWED(HttpServletResponse.SC_FORBIDDEN, "Forbidden"),
    REQUEST_TIMEOUT(HttpServletResponse.SC_BAD_REQUEST, "Bad Request"),
    SIGNATURE_DOES_NOT_MATCH(HttpServletResponse.SC_FORBIDDEN, "Forbidden");

--- a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
+++ b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
@ -30,6 +30,7 @@ import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@ -121,6 +122,28 @@ final class S3ProxyHandler extends AbstractHandler {
            }
        }

+        long date;
+        try {
+            date = request.getDateHeader(HttpHeaders.DATE);
+        } catch (IllegalArgumentException iae) {
+            sendSimpleErrorResponse(response, S3ErrorCode.ACCESS_DENIED);
+            baseRequest.setHandled(true);
+            return;
+        }
+        if (date < 0) {
+            sendSimpleErrorResponse(response, S3ErrorCode.ACCESS_DENIED);
+            baseRequest.setHandled(true);
+            return;
+        }
+        long now = System.currentTimeMillis();
+        if (now + TimeUnit.DAYS.toMillis(1) < date ||
+                now - TimeUnit.DAYS.toMillis(1) > date) {
+            sendSimpleErrorResponse(response,
+                    S3ErrorCode.REQUEST_TIME_TOO_SKEWED);
+            baseRequest.setHandled(true);
+            return;
+        }
+
        if (identity != null) {
            String expectedAuthorization = createAuthorizationHeader(request,
                    identity, credential);