Przemek Wojtowicz pwojt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public boolean checkAuth(HttpServletRequest request) throws Exception { | |
| // Use the first part to look up the key, don't hard code it and can change it for prod. | |
| String auth = request.getHeader("authorization") | |
| .substring(request.getHeader("authorization").indexOf(":") + 1) | |
| .trim(); | |
| // This is wrong, it should be caluclated from the body itself and not taken from the header. | |
| // The header is only used to compare if it matches and be able to throw errors. | |
| // If we just check the header MD5, an attacker could send the same message with a modified body and | |
| // still get it to authenticate. | |
| String content_MD5 = request.getHeader("Content-MD5") == null ? "" |