civetweb frontend fails authentication if URL has special chars
For example trying to initiate a multipart to a 'test:multi' key.
Logs from an attempt through fast cgi :
2014-06-17 11:19:08.837350 7f9808778700 10 auth_hdr: POST application/x-test Tue, 17 Jun 2014 09:19:29 GMT /test/test%3Amulti?uploads 2014-06-17 11:19:08.837438 7f9808778700 15 calculated digest=KNi7aibfXbT91TAUHBckk8KFGWk= 2014-06-17 11:19:08.837441 7f9808778700 15 auth_sign=KNi7aibfXbT91TAUHBckk8KFGWk= 2014-06-17 11:19:08.837444 7f9808778700 15 compare=0
Logs directly to civetweb frontend :
2014-06-17 11:18:59.629318 7f98d6ffd700 10 auth_hdr: POST application/x-test Tue, 17 Jun 2014 09:19:19 GMT /test/test:multi?uploads 2014-06-17 11:18:59.629360 7f98d6ffd700 15 calculated digest=j3b5HPoa6W9PXGYtXaVz2/XrhMw= 2014-06-17 11:18:59.629363 7f98d6ffd700 15 auth_sign=WgFrsBRHmIhOc0i6sDn0cCKQmyA= 2014-06-17 11:18:59.629364 7f98d6ffd700 15 compare=-19
The URL part is clearly wrong. It's been urldecoded by civetweb somewhere and shouldn't have been.
#1 Updated by Sylvain Munaut about 5 years ago
The problem is that civetweb only give the url-decoded URI in the
struct mg_request_info. I don't see how you can get the original version at all. And you can't just re-encode it because there is several url-encoded version that match the same url-decoded version and the S3 auth relies on the original one in the request, however it was encoded.
I don't see how to resolve this without patching civetweb to not URL decode.