aws · cjyclaire · Jun 27, 2016 · Jul 12, 2016 · Aug 2, 2016 · Aug 2, 2016
diff --git a/aws-sdk-core/lib/aws-sdk-core/signers/v4.rb b/aws-sdk-core/lib/aws-sdk-core/signers/v4.rb
@@ -39,10 +39,16 @@ def self.sign(context)
       #   the endpoint prefix.
       # @param [String] region The region (e.g. 'us-west-1') the request
       #   will be made to.
-      def initialize(credentials, service_name, region)
+      # @param [Array] whitelist headers provided to escape blacklist check
+      def initialize(credentials, service_name, region, whitelist_headers = [])
         @service_name = service_name
         @credentials = credentials.credentials
         @region = EndpointProvider.signing_region(region, service_name)
+        if whitelist_headers.any? && (BLACKLIST_HEADERS & whitelist_headers).any?
+          @blacklist = BLACKLIST_HEADERS - whitelist_headers
+        else
+          @blacklist = BLACKLIST_HEADERS
+        end
       end
 
       # @param [Seahorse::Client::Http::Request] req
@@ -182,7 +188,7 @@ def normalized_querystring(querystring)
       def signed_headers(request)
         request.headers.keys.inject([]) do |signed_headers, header_key|
           header_key = header_key.downcase
-          unless BLACKLIST_HEADERS.include?(header_key)
+          unless @blacklist.include?(header_key)
             signed_headers << header_key
           end
           signed_headers
@@ -193,7 +199,7 @@ def canonical_headers(request)
         headers = []
         request.headers.each_pair do |k,v|
           k = k.downcase
-          headers << [k,v] unless BLACKLIST_HEADERS.include?(k)
+          headers << [k,v] unless @blacklist.include?(k)
         end
         headers = headers.sort_by(&:first)
         headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n")

diff --git a/aws-sdk-core/spec/aws/signers/v4_spec.rb b/aws-sdk-core/spec/aws/signers/v4_spec.rb
@@ -9,6 +9,7 @@ module Signers
       let(:service_name) { 'SERVICE' }
       let(:region) { 'REGION' }
       let(:endpoint) { URI.parse('https://domain.com') }
+      let(:whitelist) { ['cache-control', 'mno'] }
       let(:signer) { V4.new(credentials, service_name, region) }
       let(:sign) { signer.sign(http_request) }
       let(:http_request) do
@@ -126,6 +127,15 @@ module Signers
           expect(signer.signed_headers(http_request)).to eq('abc;mno;xyz')
         end
 
+        it 'ignores certain headers unless providing headers via :whitelist_headers' do
+          http_request.headers = {} 
+          http_request.headers['Mno'] = '3'
+          http_request.headers['Cache-Control'] = '4'
+          http_request.headers['User-Agent'] = '5'
+          new_signer = V4.new(credentials, service_name, region, whitelist)
+          expect(new_signer.signed_headers(http_request)).to eq('cache-control;mno');
+        end
+
       end
 
       context '#canonical_headers' do
@@ -153,6 +163,13 @@ module Signers
           expect(signer.canonical_headers(http_request)).to eq('abc:"a  b  c"')
         end
 
+        it 'ignores certain headers unless providing headers via :whitelist_headers' do
+          http_request.headers = {} 
+          http_request.headers['Cache-Control'] = '4'
+          new_signer = V4.new(credentials, service_name, region, whitelist)
+          expect(new_signer.canonical_headers(http_request)).to eq('cache-control:4');
+        end
+
       end
 
       context '#normalized_querystring' do