-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lock the distination filename key for a given user #74
Labels
Comments
I confirm that the current implementation does not allow to limit an upload to a particular filename. |
Evaporate (https://github.com/TTLabs/EvaporateJS) solves this particular
issue by doing all signing on the server side.
I've been using that package.
I can see that doing all the signing on the client side would lessen the
load on the application server significantly, but for me having a malicious
user able to change the upload destination is a dealbreaker.
I wonder if there would be any way to produce a new policy on the server
side for a particular upload which allows uploading to only a particular
key (which could also be dictated or enforced by the server side in the
same call), and signing this policy for the client side to then use?
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I may be missing something, but it doesn't look like the upload destination (S3 key) is enforced at all. Am I right that a user given a signature by this could upload to any location in the S3 bucket, as far as it's allowed by the bucket policy?
Would a user then be able to overwrite a file uploaded by another user?
What would it take to give a user a particular location they're allowed to upload to, such that they can't change this without requesting another signing key?
The text was updated successfully, but these errors were encountered: