Project

General

Profile

Bug #22352

rados gateway computes wrong AWS4 signature if canonical request contains the tilde (~) character

Added by Saverio Proto about 1 year ago. Updated 10 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Target version:
Start date:
12/08/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Hello,

I have been debugging a IBM client not able to use the rados gateway, because the AWS4 signature was never verified correctly.

Looking at the requests from the client, in the requests parameter I have something with the tilde (~)

uploadId=2~l9dT9Q_FPFrbL2xnr5rtNkKrDunI83k

But when I look into the radosgw debug log I see:

uploadId=2%7El9dT9Q_FPFrbL2xnr5rtNkKrDunI83k

The Rados gateway is doing something wrong with the specification:

http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).

To reproduce this problem you can use this sample code:
http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html

From the debug log of the radosgw extract all the strings you need to use them in python code.

If you print the "signature" variable, using ~ or %7E in the string "canonical_querystring" you can see the exact match, you will get 1 time the value calculated by the client and 1 time the value calculated by the rados gateway.

Thank you

Saverio Proto

History

#1 Updated by Matt Benjamin about 1 year ago

  • Status changed from New to Triaged
  • Assignee set to Marcus Watts
  • Backport set to luminous jewel

@marcus, could you take a look?

Matt

#2 Updated by John Spray 11 months ago

  • Project changed from Ceph to rgw
  • Category deleted (22)

#3 Updated by Matt Benjamin 11 months ago

  • Assignee changed from Marcus Watts to Matt Benjamin

#4 Updated by Matt Benjamin 11 months ago

  • Status changed from Triaged to Need Test

Hi Saverio,

Could you please review the comments for http://tracker.ceph.com/issues/22731, which may overlap? A candidate fix for the issue I did reproduce against v10.2.10 has a candidate backport PR.

Thanks!

Matt

#5 Updated by Saverio Proto 11 months ago

Hello,

yes it looks like the same issue. Thanks

Saverio

#6 Updated by Casey Bodley 10 months ago

  • Status changed from Need Test to Duplicate

Also available in: Atom PDF