我正在尝试构建一个测试,让我可以锻炼 FilePicker.io 的安全性。代码运行为:
ruby test.rb [file handle]
结果是我可以附加到 FilePicker URL 的查询字符串。我很确定我的政策得到了正确阅读,但我的签名没有。有人可以告诉我我做错了什么吗?这是代码:
require 'rubygems'
require 'base64'
require 'cgi'
require 'openssl'
require 'json'
handle = ARGV[0]
expiry = Time::now.to_i + 3600
policy = {:handle=>handle, :expiry=>expiry, :call=>["pick","read", "stat"]}.to_json
puts policy
puts "\n"
secret = 'SECRET'
encoded_policy = CGI.escape(Base64.encode64(policy))
signature = OpenSSL::HMAC.hexdigest('sha256', secret, encoded_policy)
puts "?signature=#{signature}&policy=#{encoded_policy}"