Skip to content

Avoid AWS auth v4 path/query param double encoding #5823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gtenev merged 1 commit into from
Aug 16, 2019
Merged

Avoid AWS auth v4 path/query param double encoding #5823

gtenev merged 1 commit into from
Aug 16, 2019

Conversation

@gtenev
Copy link
Contributor

@gtenev gtenev commented Aug 13, 2019

AWS signature validation differs from the spec published here (or spec
not detailed enough): "Task 1: Create a Canonical Request”

During signature calculation (CanonicalURI and CanonicalQueryString
inside the CanonicalRequest) AWS avoids URI encoding of already
encoded path or query parameters which is nowhere mentioned in the
specification but it is likely done according to rfc3986#section-2.4
which says "implementations must not percent-encode or decode the
same string more than once ..."

We already had a fix for query parementer values. Added missing
checks to be consistent with AWS behavior while still waiting for
response/confirmation from AWS.

@gtenev
Avoid AWS auth v4 path/query param double encoding
41c0717 
AWS signature validation differs from the spec published here (or spec
not detailed enough):
  http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
("Task 1: Create a Canonical Request”)

During signature calculation (CanonicalURI and CanonicalQueryString
inside the CanonicalRequest) AWS avoids URI encoding of already
encoded path or query parameters which is nowhere mentioned in the
specification but it is likely done according to rfc3986#section-2.4
which says "implementations must not percent-encode or decode the
same string more than once ..."

We already had a fix for query parementer values. Added missing
checks to be consistent with AWS behavior while still waiting for
response/confirmation from AWS.
@gtenev gtenev added the Plugins label Aug 13, 2019
@gtenev gtenev added this to the 10.0.0 milestone Aug 13, 2019
@gtenev gtenev requested review from d2r and ezelkow1 August 13, 2019 19:01
@gtenev gtenev self-assigned this Aug 13, 2019
@zwoop zwoop modified the milestones: 10.0.0, 9.0.0 Aug 13, 2019
d2r
d2r approved these changes Aug 16, 2019
View reviewed changes
Copy link
Contributor

@d2r d2r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems good to me.

@gtenev gtenev merged commit 30b75a3 into apache:master Aug 16, 2019
@gtenev gtenev deleted the aws_auth_v4_avoid_double_uriencoding branch August 16, 2019 15:17
@bryancall bryancall modified the milestones: 9.0.0, 8.0.6 Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@d2r d2r d2r approved these changes

@ezelkow1 ezelkow1 Awaiting requested review from ezelkow1

Assignees

@gtenev gtenev

Labels

Plugins

Projects

None yet

Milestone

8.0.6

Development

Successfully merging this pull request may close these issues.

4 participants

@gtenev @d2r @zwoop @bryancall