Comply with AWS signature calculation (s3v4)

The current implementation of s3 signature calculation rely on WSGI Url encoding which is discouraged by AWS: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html. This leads to reject requests with valid signature. This update encode only characters specified by AWS except 'A'-'Z', 'a'-'z', '0'-'9', '-', '.', '_', and '~' to comply AWS signature calculation. Fixes LP Bug #1961841 Change-Id: Ifa8f94544224c3379e7f2805f6f86d0b0a47279a
author: Thibault Person <thibault.person@ovhcloud.com> 2022-03-15 15:12:57 +0100
committer: Tim Burke <tim.burke@gmail.com> 2022-03-15 15:25:02 -0700
commit: cb8b3cdab262af1d223c0536220400b13c1d0a9a (patch)
tree: 767ecaae0851245daaeebf48b0409cab78b2e568 /swift/common/middleware/s3api/s3request.py
parent: 014c98e853b86fc44312d879bec12099be6e22d0 (diff)
download: swift-cb8b3cdab262af1d223c0536220400b13c1d0a9a.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/swift/common/middleware/s3api/s3request.py b/swift/common/middleware/s3api/s3request.py
index 054cc0a85..e0bd434fe 100644
--- a/swift/common/middleware/s3api/s3request.py
+++ b/swift/common/middleware/s3api/s3request.py
@@ -401,7 +401,8 @@ class SigV4Mixin(object):
         """
         It won't require bucket name in canonical_uri for v4.
         """
-        return swob.wsgi_to_bytes(self.environ.get('RAW_PATH_INFO', self.path))
+        return swob.wsgi_to_bytes(swob.wsgi_quote(
+            self.environ.get('PATH_INFO', self.path), safe='-_.~/'))
 
     def _canonical_request(self):
         # prepare 'canonical_request'
author	Thibault Person <thibault.person@ovhcloud.com>	2022-03-15 15:12:57 +0100
committer	Tim Burke <tim.burke@gmail.com>	2022-03-15 15:25:02 -0700
commit	cb8b3cdab262af1d223c0536220400b13c1d0a9a (patch)
tree	767ecaae0851245daaeebf48b0409cab78b2e568 /swift/common/middleware/s3api/s3request.py
parent	014c98e853b86fc44312d879bec12099be6e22d0 (diff)
download	swift-cb8b3cdab262af1d223c0536220400b13c1d0a9a.tar.gz