You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I believe that indexd should not accept ETags and that #82 should be reverted on the premise that it's a real footgun.
ETags are not defined to be content-based hashes. Amazon S3's specific generation of them changes depending on how the file is uploaded. Importantly, a lot of people aren't aware of that and will see "etag" in the accepted types and think it's ok to use.
Also the validation format set in that PR only applies specifically to Amazon S3's arbitrary use. The RFC for ETag defines it as just an opaque string ( https://tools.ietf.org/html/rfc7232#section-2.3 ).
The text was updated successfully, but these errors were encountered:
I believe that indexd should not accept ETags and that #82 should be reverted on the premise that it's a real footgun.
ETags are not defined to be content-based hashes. Amazon S3's specific generation of them changes depending on how the file is uploaded. Importantly, a lot of people aren't aware of that and will see "etag" in the accepted types and think it's ok to use.
Also the validation format set in that PR only applies specifically to Amazon S3's arbitrary use. The RFC for ETag defines it as just an opaque string ( https://tools.ietf.org/html/rfc7232#section-2.3 ).
The text was updated successfully, but these errors were encountered: