-
Notifications
You must be signed in to change notification settings - Fork 538
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for signed urls #227
Conversation
Thanks for your contribution, @pch |
@beomseoklee @georgebearden Any news on this? Since this is a security flaw, can we please prioritize this as first in line ? Maybe even a patch release ? |
@beomseoklee @georgebearden ? Any updates ? |
@abhisheksoni27 Sorry for the delay. We will have a major update soon, but this one is not going to be added at this time. However, we will definitely add security feature to next release or quick patch. For now, if you want to add this feature to your service, you might need to add the source code by yourself. Once again, we are considering the feature, and I'm sorry for the late delivery. |
@beomseoklee Thanks for your reply. I hope you guys add something to fix the "open and not secure" nature of cloudfront URLs. Thanks, again. Waiting for the release. |
@beomseoklee When the major update is planned ? just to know if we keep @pch solution or wait for the new release. |
hello @beomseoklee, We currently use the old thumbor stack with the safe mode activated. As the Python 2.7 lambda runtime will be deprecated in december we need this soon in order the upgrade our stack. So please help ! Thank you ! |
@pch Thanks for your contribution. We've added this one to v5.1.0. However, due to our internal policy, we can't merge yours into the main branch in GitHub. So, we've added your source code to follow our internal policy and released new version v5.1.0. Due to the internal security policy, we couldn't add the secret key to Lambda environment variable, so we've added this feature to use AWS Secrets Manager. Once again, thanks for your contribution, and you can see the detail in CHNAGELOG and README. |
@beomseoklee cool, that's great news! For those looking for the docs on how to implement signatures: https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/considerations.html |
Issue #, if available:
#221
Description of changes:
Adds support for HMAC-signed urls to prevent tampering with base64-encoded params.
URLs should be in the following format:
Signatures are verified only if
SIGNATURE_KEY
env var is provided.How to generate a signature:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.