presign: Verify query params for presign individually

Incoming request params in presigned can come in different order for different implementations. Rather than verifying a full string we should verify individual params instead. This patch fixes an incompatibility issue with AWS SDK Java. Fixes #1059 - Thanks to @notnoopci for reporting this problem.
9 years ago · 2469c9c591
parent ed69c58490
commit 2469c9c591
1 changed files with 19 additions and 4 deletions
--- a/pkg/fs/signature.go
+++ b/pkg/fs/signature.go
@ -308,12 +308,27 @@ func (r *Signature) DoesPresignedSignatureMatch() (bool, *probe.Error) {
 	query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
 	query.Set("X-Amz-SignedHeaders", r.getSignedHeaders(r.extractSignedHeaders()))
 	query.Set("X-Amz-Credential", r.AccessKeyID+"/"+r.getScope(t))
-
 	encodedQuery := query.Encode()
-	newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
-	encodedQuery += "&X-Amz-Signature=" + newSignature

-	if encodedQuery != r.Request.URL.RawQuery {
+	// Verify if date query is same.
+	if r.Request.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
+		return false, nil
+	}
+	// Verify if expires query is same.
+	if r.Request.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
+		return false, nil
+	}
+	// Verify if signed headers query is same.
+	if r.Request.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
+		return false, nil
+	}
+	// Verify if credential query is same.
+	if r.Request.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
+		return false, nil
+	}
+	// Verify finally if signature is same.
+	newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
+	if r.Request.URL.Query().Get("X-Amz-Signature") != newSignature {
 		return false, nil
 	}
 	return true, nil