Comments (3)
Hi there, I believe you ran into an issue but I don't think your proposed solution is the right solution.
truncated_timestamp
is from time.time()
controlled by the system and returns a linux timestamp which isn't affected by timezones.
Are you sure that your system time is set correctly?
from ctfd.
The issue is not the use of time.time
, that will return the epoch time which like you said is not effected by timezones.
The issue is in the use of datetime.fromtimestamp
fromtimestamp(...) method of builtins.type instance
timestamp[, tz] -> tz's local time from POSIX timestamp.
fromtimestamp
returns a local datetime object.
Where utcfromtimestamp
returns a UTC datetime object.
utcfromtimestamp(...) method of builtins.type instance
Construct a naive UTC datetime from a POSIX timestamp.
The difference in what these two datetime objects are is causing the boto project to generate urls with their dates set to the wrong UTC time.
#! /usr/bin/env python3
import time
import boto3
from botocore.client import Config
from freezegun import freeze_time
from datetime import datetime
SIGV4_TIMESTAMP = "%Y%m%dT%H%M%SZ"
def main() -> None:
s3 = boto3.client(
"s3",
config=Config(signature_version="s3v4", s3={"addressing_style": "path"}),
aws_access_key_id="AAAAAAAAAAAA",
aws_secret_access_key="BBBBBBBBBBBBBBBBBBB",
endpoint_url="https://localhost",
region_name="us-east-1",
)
timestamp = int(time.time())
broken_local_time = datetime.fromtimestamp(timestamp)
correct_utc_time = datetime.utcfromtimestamp(timestamp)
print(f" broken time: {broken_local_time.strftime(SIGV4_TIMESTAMP)}")
print(f"correct time: {correct_utc_time.strftime(SIGV4_TIMESTAMP)}")
with freeze_time(broken_local_time):
url = s3.generate_presigned_url(
"get_object",
Params={
"Bucket": "bucket-name",
"Key": "/path/to/file.txt",
"ResponseContentDisposition": "attachment; filename={}".format(
"file.txt"
),
"ResponseCacheControl": "max-age=3600",
},
ExpiresIn=3600,
)
print(f"{url=}")
if __name__ == "__main__":
main()
[~]$ date; python main.py
Wed Nov 29 07:42:32 CST 2023
broken time: 20231129T074232Z
correct time: 20231129T134232Z
url='https://localhost/bucket-name//path/to/file.txt?response-content-disposition=attachment%3B%20filename%3Dfile.txt&response-cache-control=max-age%3D3600&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AAAAAAAAAAAA%2F20231129%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231129T074232Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=94f1c638bf0c805db82c66cb6f17cdba84bea722ad5b0ccd87b8465dd0ce7242'
Note how my local time is in US/Central, Wed Nov 29 07:42:32 CST 2023
and that CTFd generated a presigned url with X-Amz-Date=20231129T074232Z
(2023 11 29 07:42:32Z)
To the S3 service that Date param MUST be presented as a UTC value, and the correct UTC time when I ran this script was (2023 11 29 13:42:32Z)
So when I attempt to navigate to that URL I get an access denied because the url CTFd generated for me had already expired many hours before.
07:42:32Z
(incorrectly generated because of fromtimestamp
)
13:42:32Z
(what should have been generated if utcfromtimestamp
had been used)
from ctfd.
Thanks for the POC. I think this is probably an issue with freezegun or something which is apparently no longer being mainatined. spulec/freezegun#511
from ctfd.
Related Issues (20)
- 3.7.0 change of admin theme breaks backward compatibility HOT 1
- Exports should happen in background and be stored by CTFd as an upload
- core-beta does not respect APPLICATION_ROOT on the scoreboard
- Improve scoreboard API endpoints for scoreboard matrix and top per challenges category
- Scoreboard shows "No solves yet", even though there are solves
- CTFd Plugins conflict too much HOT 9
- Getting dynamic challenges by ID does not return decay function
- Missing translations in 3.7.0, always shown in English HOT 2
- Users cant solve challenge after changing to user mode HOT 3
- Have anyone get this error when run docker desktop ? Pls tell me HOT 1
- I can't run docker-compose up when i git clone code HOT 1
- Display walkthrough/solution by challenge when CTF ends HOT 1
- Container version - issue with plugins, themes, etc. directories HOT 1
- Custom Fields & Brackets visible in User/Team Listings
- [QUESTION] - Upload file in plugins HOT 4
- [Question] Helm chart contribution HOT 4
- Unable to insert media link in form
- [Question] Timing's Impact on CTF Ranking HOT 2
- How It Would Be adding Streak ?
- v3.7.1 pymysql.err.OperationalError: (1050, "Table 'brackets' already exists")
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ctfd.