signature-v2: encode path and query strings when calculating signature (#3253)

2024-10-01 05:33:46 +00:00 · 2016-11-14 19:23:21 +01:00 · 2016-11-14 19:23:21 +01:00 · b8f0d9352f
parent f234c35020
commit b8f0d9352f
2 changed files with 9 additions and 6 deletions
--- a/cmd/signature-v2.go
+++ b/cmd/signature-v2.go
@ -191,17 +191,20 @@ func doesSignV2Match(r *http.Request) APIErrorCode {
 		return apiError
 	}

-	// url.RawPath will be valid if path has any encoded characters, if not it will
-	// be empty - in which case we need to consider url.Path (bug in net/http?)
+	// Encode path:
+	//   url.RawPath will be valid if path has any encoded characters, if not it will
+	//   be empty - in which case we need to consider url.Path (bug in net/http?)
 	encodedResource := r.URL.RawPath
-	encodedQuery := r.URL.RawQuery
 	if encodedResource == "" {
 		splits := strings.Split(r.URL.Path, "?")
 		if len(splits) > 0 {
-			encodedResource = splits[0]
+			encodedResource = getURLEncodedName(splits[0])
 		}
 	}

+	// Encode query strings
+	encodedQuery := r.URL.Query().Encode()
+
 	expectedAuth := signatureV2(r.Method, encodedResource, encodedQuery, r.Header)
 	if v2Auth != expectedAuth {
 		return ErrSignatureDoesNotMatch
--- a/cmd/test-utils_test.go
+++ b/cmd/test-utils_test.go
@ -950,13 +950,13 @@ func signRequestV2(req *http.Request, accessKey, secretKey string) error {
 	// url.RawPath will be valid if path has any encoded characters, if not it will
 	// be empty - in which case we need to consider url.Path (bug in net/http?)
 	encodedResource := req.URL.RawPath
-	encodedQuery := req.URL.RawQuery
 	if encodedResource == "" {
 		splits := strings.Split(req.URL.Path, "?")
 		if len(splits) > 0 {
-			encodedResource = splits[0]
+			encodedResource = getURLEncodedName(splits[0])
 		}
 	}
+	encodedQuery := req.URL.Query().Encode()

 	// Calculate HMAC for secretAccessKey.
 	stringToSign := signV2STS(req.Method, encodedResource, encodedQuery, req.Header)