From b8f0d9352f0b234a15bf512e52c4235523160e96 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Mon, 14 Nov 2016 19:23:21 +0100 Subject: [PATCH] signature-v2: encode path and query strings when calculating signature (#3253) --- cmd/signature-v2.go | 11 +++++++---- cmd/test-utils_test.go | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cmd/signature-v2.go b/cmd/signature-v2.go index 9dea67e97..1148ed7af 100644 --- a/cmd/signature-v2.go +++ b/cmd/signature-v2.go @@ -191,17 +191,20 @@ func doesSignV2Match(r *http.Request) APIErrorCode { return apiError } - // url.RawPath will be valid if path has any encoded characters, if not it will - // be empty - in which case we need to consider url.Path (bug in net/http?) + // Encode path: + // url.RawPath will be valid if path has any encoded characters, if not it will + // be empty - in which case we need to consider url.Path (bug in net/http?) encodedResource := r.URL.RawPath - encodedQuery := r.URL.RawQuery if encodedResource == "" { splits := strings.Split(r.URL.Path, "?") if len(splits) > 0 { - encodedResource = splits[0] + encodedResource = getURLEncodedName(splits[0]) } } + // Encode query strings + encodedQuery := r.URL.Query().Encode() + expectedAuth := signatureV2(r.Method, encodedResource, encodedQuery, r.Header) if v2Auth != expectedAuth { return ErrSignatureDoesNotMatch diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index edc649cd9..d8d53892b 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -950,13 +950,13 @@ func signRequestV2(req *http.Request, accessKey, secretKey string) error { // url.RawPath will be valid if path has any encoded characters, if not it will // be empty - in which case we need to consider url.Path (bug in net/http?) encodedResource := req.URL.RawPath - encodedQuery := req.URL.RawQuery if encodedResource == "" { splits := strings.Split(req.URL.Path, "?") if len(splits) > 0 { - encodedResource = splits[0] + encodedResource = getURLEncodedName(splits[0]) } } + encodedQuery := req.URL.Query().Encode() // Calculate HMAC for secretAccessKey. stringToSign := signV2STS(req.Method, encodedResource, encodedQuery, req.Header)