Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Amazon S3 creating unique keys for every object

Tags:

file

php

file-upload

amazon-web-services

amazon-s3

My app users upload their files to one bucket. How can I ensure that each object in my S3 bucket has a unique key to prevent objects from being overwritten?

At the moment I'm encrypting filenames with a random string in my php script before sending the file to S3.

For the sake of the discussion let's suppose that the uploader finds a way to manipulate the filename on upload. He wants to replace all the images on my site with a picture of a banana. What is a good way to prevent overwriting files in S3 if encryption fails?

Edit: I don't think versioning will work because I can't specify a version id in an image URL when displaying images from my bucket.

like image 428
CyberJunkie Avatar asked Sep 30 '12 01:09

CyberJunkie

People also ask

Are S3 buckets unique universally?

Amazon S3 supports global buckets, which means that each bucket name must be unique across all AWS accounts in all the AWS Regions within a partition. A partition is a grouping of Regions.

Are S3 keys unique?

The object key (or key name) uniquely identifies the object in an Amazon S3 bucket.

Does S3 automatically encrypt data by default?

Default encryption works with all existing and new Amazon S3 buckets. Without default encryption, to encrypt all objects stored in a bucket, you must include encryption information with every object storage request.

Why do S3 bucket names have to be unique?

Amazon S3 has a global namespace. (i.e. No two S3 buckets can have the same name.) It's similar to how DNS works where each domain name must be unique. Therefore, you need to use a unique bucket name when creating S3 buckets.

1 Answers

Are you encrypting, or hashing? If you are using md5 or sha1 hashes, an attacker could easily find a hash collision and make you slip on a banana skin. If you are encrypting without a random initialization vector, an attacker might be able to deduce your key after uploading a few hundred files, and encryption is probably not the best approach. It is computationally expensive, difficult to implement, and you can get a safer mechanism for this job with less effort.

If you prepend a random string to each filename, using a reasonably reliable source of entropy, you shouldn’t have any issues, but you should check whether the file already exists anyway. Although coding a loop to check, using S3::GetObject, and generate a new random string might seem like a lot of effort for something that will almost never need to run, "almost never" means it has a high probability of happening eventually.

like image 171
Terence Johnson Avatar answered Oct 06 '22 00:10

Terence Johnson
Sign in to Comment

Related questions

web based remote desktop for connecting to android
What is the best session save_handler for PHP and why? [closed]
PHP debugging in XAMPP
PHP API authentication and sessions
Binary Tree Using PHP + MySQL
get latest products using magento soap API
Find available port for PHP server
PHP/MYSQL datetime ranges overlapping for users
Best scripting language for Windows GUI EXE [closed]
Detect User Abort / Client Disconnection in PHP [closed]
How to tell if socket is open in PHP?
Using FOSRestBundle with forms
Detecting the mood of a tweet or message
Corrupt image when extract from zip
Mock frameworks returns class with different name and type
Running PHP script in background using Ant
fuzzy DISTINCT Values
Java/Android HttpURLConnection setChunkedStreamingMode not working with all PHP servers
Failed to load resource: Frame load interrupted - Agian
Doctrine 1.2 hydrate method - array to model object

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!