From 2469c9c5917a80f689f3853127bd6985fccc2fc1 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@harshavardhana.net>
Date: Thu, 28 Jan 2016 11:55:00 -0800
Subject: [PATCH] presign: Verify query params for presign individually

Incoming request params in presigned can come in different order
for different implementations. Rather than verifying a full string
we should verify individual params instead.

This patch fixes an incompatibility issue with AWS SDK Java.

Fixes #1059 - Thanks to @notnoopci for reporting this problem.
---
 pkg/fs/signature.go | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/pkg/fs/signature.go b/pkg/fs/signature.go
index 582501ae6..83959a04f 100644
--- a/pkg/fs/signature.go
+++ b/pkg/fs/signature.go
@@ -308,12 +308,27 @@ func (r *Signature) DoesPresignedSignatureMatch() (bool, *probe.Error) {
 	query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
 	query.Set("X-Amz-SignedHeaders", r.getSignedHeaders(r.extractSignedHeaders()))
 	query.Set("X-Amz-Credential", r.AccessKeyID+"/"+r.getScope(t))
-
 	encodedQuery := query.Encode()
-	newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
-	encodedQuery += "&X-Amz-Signature=" + newSignature
 
-	if encodedQuery != r.Request.URL.RawQuery {
+	// Verify if date query is same.
+	if r.Request.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
+		return false, nil
+	}
+	// Verify if expires query is same.
+	if r.Request.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
+		return false, nil
+	}
+	// Verify if signed headers query is same.
+	if r.Request.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
+		return false, nil
+	}
+	// Verify if credential query is same.
+	if r.Request.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
+		return false, nil
+	}
+	// Verify finally if signature is same.
+	newSignature := r.getSignature(r.getSigningKey(t), r.getStringToSign(r.getPresignedCanonicalRequest(encodedQuery), t))
+	if r.Request.URL.Query().Get("X-Amz-Signature") != newSignature {
 		return false, nil
 	}
 	return true, nil