lib: fix aws-sigv4 having date header twice in some cases

When the user was providing the header X-XXX-Date, the header was re-added during signature computation, and we had it twice in the request. Reported-by: apparentorder@users.noreply.github.com Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com> Fixes: https://github.com/curl/curl/issues/11738 Closes: https://github.com/curl/curl/pull/11754
2025-03-31 16:00:35 +08:00 · 2023-08-28 13:38:20 +02:00 · 2023-08-28 13:38:20 +02:00 · b137634ba3
commit b137634ba3
parent 7f597ca12c
5 changed files with 150 additions and 9 deletions
--- a/lib/http_aws_sigv4.c
+++ b/lib/http_aws_sigv4.c
@ -214,15 +214,11 @@ static CURLcode make_headers(struct Curl_easy *data,
    if(!tmp_head)
      goto fail;
    head = tmp_head;
-    *date_header = curl_maprintf("%s: %s", date_hdr_key, timestamp);
+    *date_header = curl_maprintf("%s: %s\r\n", date_hdr_key, timestamp);
  }
  else {
    char *value;

-    *date_header = strdup(*date_header);
-    if(!*date_header)
-      goto fail;
-
    value = strchr(*date_header, ':');
    if(!value)
      goto fail;
@ -231,6 +227,7 @@ static CURLcode make_headers(struct Curl_easy *data,
      ++value;
    strncpy(timestamp, value, TIMESTAMP_SIZE - 1);
    timestamp[TIMESTAMP_SIZE - 1] = 0;
+    *date_header = NULL;
  }

  /* alpha-sort in a case sensitive manner */
@ -612,14 +609,19 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
                               "Credential=%s/%s, "
                               "SignedHeaders=%s, "
                               "Signature=%s\r\n"
-                               "%s\r\n"
+                               /*
+                                * date_header is added here, only if it wasn't
+                                * user-specified (using CURLOPT_HTTPHEADER).
+                                * date_header includes \r\n
+                                */
+                               "%s"
                               "%s", /* optional sha256 header includes \r\n */
                               provider0,
                               user,
                               credential_scope,
                               Curl_dyn_ptr(&signed_headers),
                               sha_hex,
-                               date_header,
+                               date_header ? date_header : "",
                               content_sha256_hdr);
  if(!auth_headers) {
    goto fail;
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -224,7 +224,7 @@ test1916 test1917 test1918 test1919 \
 \
 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test1940 \
 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 \
-test1955 test1956 test1957 test1958 test1959 test1960 \
+test1955 test1956 test1957 test1958 test1959 test1960 test1964 \
 test1970 test1971 test1972 test1973 test1974 test1975 \
 \
 test2000 test2001 test2002 test2003 test2004 \
--- a/tests/data/test1964
+++ b/tests/data/test1964
@ -0,0 +1,68 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+CURLOPT_AWS_SIGV4
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 302 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Type: text/html
+Content-Length: 0
+Location: /%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Type: text/html
+Content-Length: 0
+
+</data2>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+# this relies on the debug feature which allow to set the time
+<features>
+SSL
+crypto
+</features>
+
+<name>
+HTTP AWS_SIGV4 with one provider and auth cred via URL, but X-Xxx-Date header set manually
+</name>
+<tool>
+lib%TESTNUMBER
+</tool>
+
+<command>
+http://xxx:yyy@127.0.0.1:9000/%TESTNUMBER/testapi/test 127.0.0.1:9000:%HOSTIP:%HTTPPORT
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+^Content-Type:.*
+^Accept:.*
+</strip>
+<protocol>
+GET /%TESTNUMBER/testapi/test HTTP/1.1
+Host: 127.0.0.1:9000
+Authorization: XXX4-HMAC-SHA256 Credential=xxx/19700101/0/127/xxx4_request, SignedHeaders=content-type;host;x-xxx-date, Signature=35da102c1df68f2ef85ade08ecc212fa663a66e3a973146f6578a5c5426e9669
+X-Xxx-Date: 19700101T000000Z
+
+</protocol>
+</verify>
+</testcase>
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@ -69,7 +69,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect libprereq      \
         lib1915 lib1916 lib1917 lib1918 lib1919 \
 lib1933 lib1934 lib1935 lib1936 lib1937 lib1938 lib1939 lib1940 \
 lib1945 lib1946 lib1947 lib1948 lib1955 lib1956 lib1957 lib1958 lib1959 \
- lib1960 \
+ lib1960 lib1964 \
 lib1970 lib1971 lib1972 lib1973 lib1974 lib1975 \
 lib2301 lib2302 lib2304 lib2305 lib2306 \
 lib2402 lib2404 \
@ -624,6 +624,9 @@ lib1959_LDADD = $(TESTUTIL_LIBS)
 lib1960_SOURCES = lib1960.c $(SUPPORTFILES)
 lib1960_LDADD = $(TESTUTIL_LIBS)

+lib1964_SOURCES = lib1964.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+lib1964_LDADD = $(TESTUTIL_LIBS)
+
 lib1970_SOURCES = lib1970.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1970_LDADD = $(TESTUTIL_LIBS)

--- a/tests/libtest/lib1964.c
+++ b/tests/libtest/lib1964.c
@ -0,0 +1,68 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "test.h"
+
+#include "memdebug.h"
+
+int test(char *URL)
+{
+  CURL *curl;
+  CURLcode res = CURLE_OK;
+  struct curl_slist *connect_to = NULL;
+  struct curl_slist *list = NULL, *tmp;
+
+  global_init(CURL_GLOBAL_ALL);
+  easy_init(curl);
+
+  easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+  easy_setopt(curl, CURLOPT_AWS_SIGV4, "xxx");
+  easy_setopt(curl, CURLOPT_URL, URL);
+  if(libtest_arg2) {
+    connect_to = curl_slist_append(connect_to, libtest_arg2);
+    if(!connect_to) {
+      res = CURLE_FAILED_INIT;
+      goto test_cleanup;
+    }
+  }
+  easy_setopt(curl, CURLOPT_CONNECT_TO, connect_to);
+  list = curl_slist_append(list, "Content-Type: application/json");
+  tmp = curl_slist_append(list, "X-Xxx-Date: 19700101T000000Z");
+  if(!list || !tmp) {
+    res = CURLE_FAILED_INIT;
+    goto test_cleanup;
+  }
+  list = tmp;
+  easy_setopt(curl, CURLOPT_HTTPHEADER, list);
+
+  res = curl_easy_perform(curl);
+
+test_cleanup:
+
+  curl_slist_free_all(connect_to);
+  curl_slist_free_all(list);
+  curl_easy_cleanup(curl);
+  curl_global_cleanup();
+
+  return res;
+}