Posts Tagged: PHP
Amazon S3 HMAC Signatures without PEAR or PHP5
The Amazon S3 proposal for uploading via POST describes how to assemble a policy document that can be used to create a time-sensitive signature. The obvious advantage to this method is that you don’t have to worry about someone stealing your secret AWS key or uploading random files without your permission.
Here is the example policy document from the proposal:
{ "expiration": "2007-12-01T12:00:00.000Z", "conditions": [ {"acl": "public-read" }, {"bucket": "johnsmith" }, ["starts-with", "$key", "user/eric/"], ["content-length-range", 2048, 20971520] ] }This Policy document is Base64 encoded and the Signature is the HMAC of the Base64 encoding.
The application I am developing at work requires this signed policy method of uploading files to S3, however I needed to do it with PHP4 and preferably without any extra PEAR packages. This posed somewhat of a challenge, as all the tutorials I found on the web explained how to sign the policy using the PEAR Crypt_HMAC package or some feature of PHP5.
I eventually figured it out, and I’m here to show you how. The two functions used were found on the web (I don’t remember exactly where) and worked perfectly for my situation.
(Note: I had a lot of trouble saving the contents of the following code in WordPress due to some Apache mod_security settings configured on my server.)
/*
* Calculate HMAC-SHA1 according to RFC2104
* See http://www.faqs.org/rfcs/rfc2104.html
*/
function hmacsha1($key,$data) {
$blocksize=64;
$hashfunc='sha1';
if (strlen($key)>$blocksize)
$key=pack('H*', $hashfunc($key));
$key=str_pad($key,$blocksize,chr(0x00));
$ipad=str_repeat(chr(0x36),$blocksize);
$opad=str_repeat(chr(0x5c),$blocksize);
$hmac = pack(
'H*',$hashfunc(
($key^$opad).pack(
'H*',$hashfunc(
($key^$ipad).$data
)
)
)
);
return bin2hex($hmac);
}
/*
* Used to encode a field for Amazon Auth
* (taken from the Amazon S3 PHP example library)
*/
function hex2b64($str)
{
$raw = '';
for ($i=0; $i < strlen($str); $i+=2)
{
$raw .= chr(hexdec(substr($str, $i, 2)));
}
return base64_encode($raw);
}
/* Create the Amazon S3 Policy that needs to be signed */
$policy = '{ "expiration": "2007-12-01T12:00:00.000Z",
"conditions": [
{"acl": "public-read" },
{"bucket": "johnsmith" },
["starts-with", "$key", "user/eric/"],
["content-length-range", 2048, 20971520]
]';
/*
* Base64 encode the Policy Document and then
* create HMAC SHA-1 signature of the base64 encoded policy
* using the secret key. Finally, encode it for Amazon Authentication.
*/
$base64_policy = base64_encode($policy);
$signature = hex2b64(hmacsha1($secretkey, $base64_policy));
That’s it! This method doesn’t require PHP5 and doesn’t require any additional PEAR packages.
ERROR 406: Not Acceptable
The other day I was writing a script for work and discovered it wasn’t behaving as expected. The web browser didn’t give me any helpful information so I decided to use wget to see what the actual error was:
eris:~ raam$ wget --spider -v mysite.com
Connecting to mysite.com|69.16.69.151|:80... connected.
HTTP request sent, awaiting response... 406 Not Acceptable
16:19:28 ERROR 406: Not Acceptable.
Ah ha! ERROR 406: Not Acceptable. After doing some Googling I discovered the problem is related to an optional (though commonly installed) Apache module called mod_security. This module basically acts as a firewall for Apache to help prevent website attacks, specifically attacks through POST submissions.
To disable mod_security, you can place the following line in an .htaccess file on the root of your site:
SecFilterEngine off
I then confirmed that disabling mod_security actually fixed the problem:
eris:~ raam$ wget --spider -v mysite.com
Connecting to mysite.com|69.16.69.151|:80... connected.
HTTP request sent, awaiting response... 200 OK
So as you can see, the quick solution to fixing the Error 406 problem is to disable mod_security altogether using a .htaccess file. However, this leaves me wondering how much security I’m giving up by disabling mod_security.
I was in a hurry when this happened so I didn’t spend much time investigating what exactly my script was doing that may have caused mod_security to freak out. Sometimes other applications cause the Error 406 problem, such as WordPress or Mambo, and you really don’t have choice except to wait for a fix to be released. Since my own software caused the problem, figuring out why should be easy. I’ll post my results when I determine what was.
slGrid: Edit Mode without Add or Delete
I’ve been customizing slGrid for an application I’m developing at work. One of the things I needed to do was to enable the MODE_EDIT but at the same time prevent additions or deletions.
To prevent deletions, there is an option in /classes/gridclass.php called $editmode_delete, which you can simply set to false to prevent deletions and remove the ‘Delete’ column. However, this creates another problem: While editing a row, the ‘Delete’ button and the ‘Cancel’ button share the same column:
So by disabling deletions, we’re giving up our ‘Cancel’ button. This means the only way to get out of edit mode after clicking the ‘Edit’ button, is to refresh the page. OK, so thats not the end of the world. Lets continue.
Our next problem is insertions — we need to prevent users from adding new rows. I saw the $editmode_add option in /classes/gridclass.php, and assumed it would be as simple as changing it to false. But to my surprise, that only removed the ‘Add’ button, leaving the entire (empty) insertion row at the top of the table:
Well that doesn’t make any sense. If there is an option to disable insertions, why leave the unused empty row? After lots of digging I finally found the block of code that needs to be commented/removed to prevent the empty row from loading:
gridclass.php:
if ($this->mode == MODE_EDIT)
{
$insert_row = array();
$row_index = -1;
foreach ($this->columns as $column)
$insert_row[$column->name] = "";
$this->CreateRow($insert_row, $row_index, $visible_row_index, $table_main);
$row_index++;
}
After commenting out that block of code, I finally have what I want; slGrid in Edit Mode without the ability to Add or Delete:
I’m going to be working with slGrid a lot now and I’ll be tweaking/customizing it quite a bit. I will be sure to share everything I learn here on my blog for others who may wish to use it.
