[
https://issues.apache.org/jira/browse/OAK-7692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16574030#comment-16574030
]
Alexander Klimetschek edited comment on OAK-7692 at 8/8/18 11:33 PM:
---------------------------------------------------------------------
[~mreutegg] Fix including unit test available
[here|https://github.com/mattvryan/jackrabbit-oak/pull/14], and as [patch
file|https://patch-diff.githubusercontent.com/raw/mattvryan/jackrabbit-oak/pull/14.diff].
Note that I also made all the exception messages for an invalid token the same
("Invalid upload token") so that possibly attacking clients don't get too much
information.
was (Author: alexander.klimetschek):
[~mreutegg] Fix including unit test available
[here|https://github.com/mattvryan/jackrabbit-oak/pull/14], and as [patch
file|https://patch-diff.githubusercontent.com/raw/mattvryan/jackrabbit-oak/pull/14.diff].
> [DirectBinaryAccess] Upload token HMAC signature must be base64 encoded
> -----------------------------------------------------------------------
>
> Key: OAK-7692
> URL: https://issues.apache.org/jira/browse/OAK-7692
> Project: Jackrabbit Oak
> Issue Type: Technical task
> Components: blob-plugins
> Reporter: Alexander Klimetschek
> Assignee: Alexander Klimetschek
> Priority: Major
>
> The upload token's hmac signature (after the #) is not base64 encoded. This
> might create problems for clients passing that string around if it can
> contain non-ascii characters.
> Example:
> {noformat}
> ZDI4Zi1[...]jcuNzg3Wg==#i�_�\��?��S��,0:�
> {noformat}
> Code is
> [here|https://github.com/mattvryan/jackrabbit-oak/blob/trunk/oak-blob-plugins/src/main/java/org/apache/jackrabbit/oak/plugins/blob/datastore/directaccess/DataRecordUploadToken.java#L147-L148].
> Should probably do a {{Base64.encode()}} of the {{hash}} result of the hmac.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
