mosiac1
commented
3 weeks ago Closing, this PR was for documentation purposes, I am not sure we should support this encoding/decoding behaviour as a proxy.
Closed mosiac1 closed 3 weeks ago
mosiac1
commented
3 weeks ago Closing, this PR was for documentation purposes, I am not sure we should support this encoding/decoding behaviour as a proxy.
Tests are currently failing.
From the SigV4 spec, the path included in the Canonical Request string should have its segments URI encoded.
Both the Java AWS SDK and the AWS CLI will encode the path before sending the request. For example, for the key
a=1in bucketfoothe request path would be/foo/a%3D1. This is both the path used in the Canonical Request (for SigV4) and the path of the actual HTTP request.Playing around with modifying the HTTP path of signed requests I found that Ceph S3 will consider the signature valid even if the path is not encoded. For the example above, Ceph treats
/foo/a%3D1and/foo/a=1as equivalent.I think
aws-proxyshould behave the same, decoding the path once and re-encoding when computing the Canonical Request strings.Looks like Jetty doesn't do this by default, which does make sense as most reserved URI characters are allows in paths.