From b9e0714b2d5e11f3e9eb296e4a97d6131fe37053 Mon Sep 17 00:00:00 2001
From: Andrew Gaul <andrew@gaul.org>
Date: Mon, 20 May 2019 12:39:06 +0900
Subject: [PATCH] Limit signed URL duration

Found via s3-tests.
---
 src/main/java/org/gaul/s3proxy/S3ProxyHandler.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
index 5b443c4..70d16ca 100644
--- a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
+++ b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
@@ -488,6 +488,10 @@ public class S3ProxyHandler {
                 long expires = Long.parseLong(expiresString);
                 long nowSeconds = System.currentTimeMillis() / 1000;
                 if (nowSeconds >= expires) {
+                    throw new S3Exception(S3ErrorCode.ACCESS_DENIED,
+                            "Request has expired");
+                }
+                if (expires - nowSeconds > TimeUnit.DAYS.toSeconds(365)) {
                     throw new S3Exception(S3ErrorCode.ACCESS_DENIED);
                 }
             }
@@ -503,6 +507,9 @@ public class S3ProxyHandler {
                     throw new S3Exception(S3ErrorCode.ACCESS_DENIED,
                             "Request has expired");
                 }
+                if (expires > TimeUnit.DAYS.toSeconds(7)) {
+                    throw new S3Exception(S3ErrorCode.ACCESS_DENIED);
+                }
             }
             // The aim ?
             switch (authHeader.authenticationType) {