Bug #22352
closedrados gateway computes wrong AWS4 signature if canonical request contains the tilde (~) character
0%
Description
Hello,
I have been debugging a IBM client not able to use the rados gateway, because the AWS4 signature was never verified correctly.
Looking at the requests from the client, in the requests parameter I have something with the tilde (~)
uploadId=2~l9dT9Q_FPFrbL2xnr5rtNkKrDunI83k
But when I look into the radosgw debug log I see:
uploadId=2%7El9dT9Q_FPFrbL2xnr5rtNkKrDunI83k
The Rados gateway is doing something wrong with the specification:
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).
To reproduce this problem you can use this sample code:
http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
From the debug log of the radosgw extract all the strings you need to use them in python code.
If you print the "signature" variable, using ~ or %7E in the string "canonical_querystring" you can see the exact match, you will get 1 time the value calculated by the client and 1 time the value calculated by the rados gateway.
Thank you
Saverio Proto
Updated by Matt Benjamin over 6 years ago
- Status changed from New to Triaged
- Assignee set to Marcus Watts
- Backport set to luminous jewel
@Marcus Sorensen, could you take a look?
Matt
Updated by John Spray over 6 years ago
- Project changed from Ceph to rgw
- Category deleted (
22)
Updated by Matt Benjamin about 6 years ago
- Assignee changed from Marcus Watts to Matt Benjamin
Updated by Matt Benjamin about 6 years ago
- Status changed from Triaged to 17
Hi Saverio,
Could you please review the comments for http://tracker.ceph.com/issues/22731, which may overlap? A candidate fix for the issue I did reproduce against v10.2.10 has a candidate backport PR.
Thanks!
Matt
Updated by Saverio Proto about 6 years ago
Hello,
yes it looks like the same issue. Thanks
Saverio