Bug #35993
AWSv4 presigned signature misses quoting on X-Amz-Credential
0%
Description
External ticket https://gitlab.com/gitlab-org/gitlab-workhorse/issues/181
The X-Amz-Credential query parameter is not correctly encoded during server-side signature generation for presigned AWSv4 URLs
RGW uses it as-is from the URL query string, and if that mismatches the quoting used client-side signature generation, then the server & client signatures will not match.
The specification requires that the query-string keys & values are all quoted. The Fog library had behavior where it would use correct quoting during client-side signature generation, but then it would output a shorter form with less quoting, which was since fixed https://github.com/fog/fog-aws/commit/7c36189fb02c9b3cee8f1b93441e1edf95732028
Spec page: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Example with correct quoting per spec:X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request
Related issues
History
#1 Updated by Casey Bodley over 5 years ago
- Related to Bug #26965: Compliance to aws s3's relaxed query handling behaviour added
#2 Updated by Yehuda Sadeh over 5 years ago
@robbat2 can you verify that this PR fixes it for you?
https://github.com/ceph/ceph/pull/23652
#3 Updated by Yehuda Sadeh over 5 years ago
- Status changed from 12 to Need More Info
#4 Updated by Abhishek Lekshmanan about 5 years ago
- Status changed from Need More Info to Resolved