Closed zhucaifeng81 closed 6 months ago
@zhucaifeng81 Thanks for the bug report and a fix! Feel free to open a PR with this patch if you want to want to get the github contribution credit for it. If not, no problem and I'll open a PR for this.
No credit is needed. It is already a pleasure to study the clean VGW code. Thanks for your excellent work.
Describe the bug createPresignedHttpRequestFromCtx() in s3api/utils/utils.go does not generate a canonical URL, and presigned url check will fail for any url if its query args contains ';' or its path contains UTF-8 code.
This problem is caused by ctx.Request().URI() returning decoded path and query args. Thus the newly assembled url by createPresignedHttpRequestFromCtx is not canonical and may contain unescaped semicolon ';'. This will make signer.PresignHTTP() in CheckPresignedSignature fails to generate correct signature because query args containing semicolon is omitted by net/url.ParseQuery, as the stack below shows
The same analysis applies to ute-8 code.
According to https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html, url should be canonical when checking presigned url. A proposed fix is listed below, subject to consideration by the VGW author.
To Reproduce Use AWS SDK to presign a URL whose query argument contains a semicolon, like below
Server Version output of
Additional context Describe s3 client and version if applicable.