From 7c56d1040ddc2b39622f751cd6ad5c1638a5d18e Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 18 May 2023 00:06:03 +0200 Subject: k2v signature verification: double urlencoding, as expected by rusoto_signature (s3 is the only service that does not do double-urlencoding when computing signatures...) --- src/api/signature/payload.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/api/signature/payload.rs') diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index 4c7934e5..e264392b 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -27,8 +27,10 @@ pub async fn check_payload_signature( headers.insert(key.to_string(), val.to_str()?.to_string()); } if let Some(query) = request.uri().query() { + trace!("got query: {}", query); let query_pairs = url::form_urlencoded::parse(query.as_bytes()); for (key, val) in query_pairs { + trace!("query pair: `{}` = `{}`", key, val); headers.insert(key.to_lowercase(), val.to_string()); } } @@ -56,6 +58,7 @@ pub async fn check_payload_signature( &headers, &authorization.signed_headers, &authorization.content_sha256, + service != "s3", ); let (_, scope) = parse_credential(&authorization.credential)?; let string_to_sign = string_to_sign(&authorization.date, &scope, &canonical_request); @@ -236,10 +239,16 @@ pub fn canonical_request( headers: &HashMap, signed_headers: &str, content_sha256: &str, + double_encode_path: bool, ) -> String { + let path: std::borrow::Cow = if double_encode_path { + uri_encode(uri.path(), false).into() + } else { + uri.path().into() + }; [ method.as_str(), - uri.path(), + &path, &canonical_query_string(uri), &canonical_header_string(headers, signed_headers), "", -- cgit v1.2.3