Przemek Wojtowicz pwojt

## changed.java
	public boolean checkAuth(HttpServletRequest request) throws Exception {
	  // Use the first part to look up the key, don't hard code it and can change it for prod.
		String auth = request.getHeader("authorization")
				.substring(request.getHeader("authorization").indexOf(":") + 1)
				.trim();
		// This is wrong, it should be caluclated from the body itself and not taken from the header.
		// The header is only used to compare if it matches and be able to throw errors.
		// If we just check the header MD5, an attacker could send the same message with a modified body and
		// still get it to authenticate.
		String content_MD5 = request.getHeader("Content-MD5") == null ? ""
	public boolean checkAuth(HttpServletRequest request) throws Exception {
	// Use the first part to look up the key, don't hard code it and can change it for prod.
	String auth = request.getHeader("authorization")
	.substring(request.getHeader("authorization").indexOf(":") + 1)
	.trim();
	// This is wrong, it should be caluclated from the body itself and not taken from the header.
	// The header is only used to compare if it matches and be able to throw errors.
	// If we just check the header MD5, an attacker could send the same message with a modified body and
	// still get it to authenticate.
	String content_MD5 = request.getHeader("Content-MD5") == null ? ""