Project

General

Profile

Bug #35993

AWSv4 presigned signature misses quoting on X-Amz-Credential

Added by Robin Johnson over 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
-
% Done:

0%

Source:
Community (dev)
Tags:
awsv4
Backport:
luminous, mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

External ticket https://gitlab.com/gitlab-org/gitlab-workhorse/issues/181

The X-Amz-Credential query parameter is not correctly encoded during server-side signature generation for presigned AWSv4 URLs

RGW uses it as-is from the URL query string, and if that mismatches the quoting used client-side signature generation, then the server & client signatures will not match.

The specification requires that the query-string keys & values are all quoted. The Fog library had behavior where it would use correct quoting during client-side signature generation, but then it would output a shorter form with less quoting, which was since fixed https://github.com/fog/fog-aws/commit/7c36189fb02c9b3cee8f1b93441e1edf95732028

Spec page: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Example with correct quoting per spec:
X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request


Related issues

Related to rgw - Bug #26965: Compliance to aws s3's relaxed query handling behaviour Resolved 08/20/2018

History

#1 Updated by Casey Bodley over 5 years ago

  • Related to Bug #26965: Compliance to aws s3's relaxed query handling behaviour added

#2 Updated by Yehuda Sadeh over 5 years ago

@robbat2 can you verify that this PR fixes it for you?
https://github.com/ceph/ceph/pull/23652

#3 Updated by Yehuda Sadeh over 5 years ago

  • Status changed from 12 to Need More Info

#4 Updated by Abhishek Lekshmanan about 5 years ago

  • Status changed from Need More Info to Resolved

Also available in: Atom PDF