将文件直接从浏览器发送到S3，但更改文件名 [英] Sending file direct from browser to S3 but changing file name

问题描述

我正在使用已签名的授权S3上传文件，以便用户可以直接从其浏览器将文件上传到S3绕过我的服务器.目前可以使用，但是文件名与用户计算机上的文件名相同.我想将它另存为S3.

I am using signed authorized S3 uploads so that users can upload files directly from their browser to S3 bypassing my server. This presently works, but the file name is the same as on the user's machine. I'd like to save it on S3 as a different name.

我发布到亚马逊的formdata看起来像这样:

The formdata I post to amazon looks like this:

var formData = new FormData();
formData.append('key', targetPath);                       // e.g. /path/inside/bucket/myFile.mov
formData.append('AWSAccessKeyId', s3Auth.AWSAccessKeyId); // aws public key
formData.append('acl', s3Auth.acl);                       // e.g. 'public-read'
formData.append('policy', s3Auth.policy);                 // s3 policy including ['starts-with', '$key', '/path/inside/bucket/']
formData.append('signature', s3Auth.signature);           // base64 sha1 hash of private key and base64 policy JSON
formData.append('success_action_status ', 200);           // response code 200 on success
formData.append('file', file.slice());                    // e.g. /path/on/user/computer/theirFile.mov

但是，文件的结尾不是: https://s3.amazonaws.com/mybucket/path/inside/bucket/myFile.mov

However instead of the file ending up at: https://s3.amazonaws.com/mybucket/path/inside/bucket/myFile.mov

其最终结果是: https://s3.amazonaws.com/mybucket/path/inside/bucket/theirFile.mov

请注意，它具有文件名，但是我的基本路径.

Note it has their filename but my base path.

我希望它也具有我指定的文件名.

I would like it to have the filename I specify as well.

更新:更新:这一直都有效，我只是将其他代码从一个存储桶复制到了另一个存储桶，从而恢复了原始文件名，从而使我感到困惑.

UPDATE: Update: this was working all along I simply had other code that copied from one bucket to another that restored the original file name and thus confusing me.

推荐答案

您确定 targetPath 的内容以及数据来自何处吗?

Are you sure about the contents of targetPath and where that data comes from?

您描述的行为是在特定情况下，当 targetPath 实际上不包含/path/inside/bucket/myFile.mov 时应该发生的情况.

The behavior you are describing is what should happen in one particular case where targetPath doesn't actually contain /path/inside/bucket/myFile.mov.

我建议 targetPath 实际上包含值/path/inside/bucket/$ {filename} ，也就是说，我的意思是字符 $ {filename} 位于该字符串的末尾，而不是您想要的文件名.

I would suggest that targetPath actually contains the value /path/inside/bucket/${filename} -- and by that I mean, literally, the characters $ { f i l e n a m e } are at the end of that string, instead of the filename you intend.

如果是这样，那应该就是它的工作方式.

If that's true, that's exactly how it's supposed to work.

如果您不知道用户将要上载的文件名，则键值可以包含特殊变量 $ {filename} ，该变量将被上载的文件名替换.例如，如果用户上载名为 Birthday Cake的文件，则键值 uploads/$ {filename} 将成为对象名称 uploads/Birthday Cake.jpg .jpg .

If you do not know the name of the file a user will upload, the key value can include the special variable ${filename} which will be replaced with the name of the uploaded file. For example, the key value uploads/${filename} will become the object name uploads/Birthday Cake.jpg if the user uploads a file called Birthday Cake.jpg.

^{- https://aws.amazon.com/articles/1434}

如果使用要在S3中看到的文字文件名填充该变量，则上载应使用您的文件名而不是上载者计算机上的文件名，表现出预期的效果.

If you populate that variable with the literal filename you want to see in S3, then the uploads should behave as you expect, using your filename instead of the filename on the uploader's computer.

此外，一种更安全的方法是消除策略中的关键'starts-with'逻辑，而是使用特定的密钥为每个上传事件显式(动态)签署策略您要用户上传.否则，利用这种形式覆盖同一键前缀内的其他文件并非不可能.

Also, a more secure approach would be to eliminate the key 'starts-with' logic in your policy, and instead explicitly sign a policy (dynamically) for each upload event, with the specific key you want the user to upload. Otherwise, it's not impossible to exploit this form to to overwrite other files within the same key prefix.

这篇关于将文件直接从浏览器发送到S3，但更改文件名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！