Project

General

Profile

Actions
Copy link

Bug #63926

open

+ in object key leads to SignatureDoesNotMatch - uri encoding issue

Added by Ondrej Kukla 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

There is a issue with + in object key name which leads to SignatureDoesNotMatch.

Based on my debug I think that the issue comes from the fact that function aws4_uri_recode is run before the + for %20 replacement as you can see here.

https://github.com/ceph/ceph/blob/main/src/rgw/rgw_auth_s3.h#L521

This means that the + will be recoded to %2b so the replace afterwards will not be applied -> SignatureDoesNotMatch

Because of this there is a AWS s3 and Ceph difference because on s3 the + will be recoded as %20

Actions
Copy link
 #1

Updated by Casey Bodley 4 months ago

which client are you using to send these requests?

Actions
Copy link
 #2

Updated by Ondrej Kukla 4 months ago

I'm usually using Postman for testing, but we've found the issue while using our AWS sigv4 Lua implementation in Nginx that we use against s3 storages for some time.

I also have a screenshot of a debug rgw log to prove my issue. You can see it here - https://ibb.co/y8gw0HN and
https://ibb.co/prm6mMn

Let me know if you need more information.

Actions
Copy link

Also available in: Atom PDF